Skip to content

fix: the ldap authentication handler in the flask-ap... in override.py#66417

Open
orbisai0security wants to merge 1 commit intoapache:mainfrom
orbisai0security:fix-ldap-injection-and-security-hardening
Open

fix: the ldap authentication handler in the flask-ap... in override.py#66417
orbisai0security wants to merge 1 commit intoapache:mainfrom
orbisai0security:fix-ldap-injection-and-security-hardening

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented May 5, 2026

Summary

Fix critical severity security issue in providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py:2421

Description: The LDAP authentication handler in the Flask-AppBuilder security manager constructs LDAP filter strings using Python f-string interpolation, directly embedding the user-supplied username value without any escaping or sanitization. An attacker can supply a crafted username such as 'admin)(|(uid=*' to break out of the intended filter structure and craft an arbitrary LDAP query. This can result in authentication bypass, granting access as any LDAP user including administrators, or enumeration of all directory entries.

Changes

  • providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-001 security vulnerability
20cad38 
Automated security fix generated by Orbis Security AI
@orbisai0security orbisai0security requested a review from vincbeck as a code owner May 5, 2026 12:24
@boring-cyborg
Copy link
Copy Markdown

boring-cyborg Bot commented May 5, 2026

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example Dag that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: dev@airflow.apache.org
    Slack: https://s.apache.org/airflow-slack

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck Awaiting requested review from vincbeck vincbeck is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area:providers provider:fab

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@orbisai0security