Privilege escalation in Apache Software Foundation Airflow Fab Provider

CVE-2026-59245

In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently grante…

Vulnerability class: Privilege Escalation

Affected products

Weakness classification (CWE)

References