Apache Airflow FAB: DAG ID 'DAGs' collision grants global DAG access
CVE-2026-59245 Published on July 13, 2026

Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named `DAGs` exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to `apache-airflow-providers-fab` 3.7.2 or later, which disambiguates the resource-name collision.

Vendor Advisory NVD

Weakness Type

Improper Privilege Management

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.


Products Associated with CVE-2026-59245

Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.

 

Affected Versions

Apache Software Foundation Apache Airflow FAB provider: