In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named `DAGs` exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to `apache-airflow-providers-fab` 3.7.2 or later, which disambiguates the resource-name collision.
History

Mon, 13 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow Fab Provider
Vendors & Products Apache
Apache airflow Fab Provider

Mon, 13 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently granted the global all-DAGs permission (privilege escalation). The escalation triggers when a DAG named `DAGs` exists and a lower-privileged user is given per-DAG access to it, granting that user read/edit access to every DAG. Users are advised to upgrade to `apache-airflow-providers-fab` 3.7.2 or later, which disambiguates the resource-name collision.
Title Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
Weaknesses CWE-269
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-07-13T15:05:21.156Z

Updated: 2026-07-13T19:30:49.937Z

Reserved: 2026-07-04T01:50:50.590Z

Link: CVE-2026-59245

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.