Apache Airflow · Apache Airflow Fab Provider · CVE-2026-46745
**Name of the Vulnerable Software and Affected Versions**
apache-airflow-providers-fab versions prior to 3.6.4
**Description**
Apache Airflow FAB Auth Manager is subject to an LDAP filter injection, which occurs when user-supplied input is improperly sanitized before being used in an LDAP filter. This allows unauthenticated attackers to bypass authentication or exfiltrate sensitive directory data.
**Recommendations**
Update to apache-airflow-providers-fab version 3.6.4 or later.
As a temporary workaround, disable LDAP authentication until the provider can be updated.