THREAT OPS › Threat News › CVE-2026-59245: Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
CVE-2026-59245: Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
<p>Posted by Vincent Beck on Jul 13</p>Severity: moderate <br /> <br /> Affected versions:<br /> <br /> - Apache Airflow FAB provider (apache-airflow-providers-fab) before 3.7.2<br /> <br /> Description:<br /> <br /> In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission <br /> resource name produced by `resource_name()`, so a user grant
Indicators of compromise
- CVE-2026-59245cve
Original source: https://seclists.org/oss-sec/2026/q3/125