Apache Ships 12 Patches Across 7 Projects: Shiro, Airflow, Syncope Lead the Batch
Apache disclosed 12 CVEs across seven projects between May 25–28, 2026, with Shiro accounting for four bugs and Airflow's unauthenticated LDAP injection topping the batch's most dangerous flaws.
Between May 25 and May 28, 2026, the Apache Software Foundation published 12 CVEs spanning seven distinct projects — a coordinated disclosure batch that touches Shiro, Airflow, Syncope, Ignite, Flink, Artemis, and ECharts. The cluster includes two High-severity flaws (CVSS 7.2 and 8.1) and a mix of medium-severity issues ranging from session fixation and open redirect to SSRF, path traversal, and XSS. Several of the bugs require authentication to exploit, but others — notably an LDAP filter injection in Airflow's FAB Auth Manager — are reachable by unauthenticated attackers.
Apache Shiro accounts for four of the twelve CVEs, all published on May 25. CVE-2026-43828 (CVSS 6.5) and CVE-2026-43827 (CVSS 6.5) are default-configuration weaknesses: the former omits the Secure attribute on sensitive cookies in HTTPS sessions, potentially exposing session tokens over plaintext connections; the latter is a session fixation flaw where an existing session is not invalidated on authentication, allowing an attacker to pre-set a session ID and hijack the user's session after login. Both affect Shiro from 1.0 through 2.1.0 and 3.0.0-alpha-1, and are fixed in 2.1.1 and 3.0.0-alpha-2.
The other two Shiro CVEs target the shiro-jakarta-ee integration module. CVE-2026-48589 (CVSS 5.4) is an open redirect triggered via the HTTP Referer header after login — insufficient validation lets an attacker steer authenticated users to an external malicious site. CVE-2026-44598 (CVSS 5.4) combines an open redirect with a Server-Side Request Forgery (SSRF) vector, also in the Jakarta EE module. Both require valid login credentials to exploit, limiting the blast radius to authenticated sessions.
Apache Airflow contributed two CVEs, one of which is the batch's highest-scored bug. CVE-2026-45361 (CVSS 8.1, High) affects apache-airflow-providers-google versions prior to 22.0.0. The ComputeEngineSSHHook disables SSH host-key verification by default, meaning any network-level attacker positioned between an Airflow worker and a Google Compute Engine VM can intercept or modify SSH traffic. Users are advised to upgrade to apache-airflow-providers-google 22.0.0 or later.
CVE-2026-46745 (CVSS 5.3) targets the Airflow FAB Auth Manager and is arguably the batch's most dangerous bug for unpatched deployments: an LDAP filter injection (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication entirely. The fix ships in apache-airflow-providers-fab 3.6.4. The advisory recommends disabling LDAP authentication as an immediate workaround if upgrading is not possible.
Apache Syncope received two CVEs, both requiring administrator-level entitlements. CVE-2026-42782 (CVSS 7.2, High) is an improper isolation vulnerability: an administrator with Implementation entitlements can create a malicious Groovy class that reaches a non-sandboxed execution path via the class static initializer, effectively escaping Syncope's script sandbox. CVE-2026-42797 (CVSS 4.9) is an information disclosure bug in Derived Schemas — a crafted JEXL expression lets an administrator with User-read entitlements access security-sensitive user data. Both affect Syncope 3.0 through the latest 3.x releases.
The remaining four CVEs each hit a different Apache project. CVE-2025-48977 (CVSS 6.5) is a relative path traversal in Apache Ignite's REST API — an authenticated user can read arbitrary files on the server by crafting a log path with the cmd=log command. The flaw affects Ignite 2.0.0 through 2.17.0 and is fixed in 2.18.0. CVE-2026-40564 (no CVSS score listed) affects the Apache Flink Kubernetes Operator — the FlinkSessionJob jarURI field is not validated, letting users with CR create permissions read files from the operator or trigger SSRF. CVE-2026-40914 (CVSS 4.3) is a routing-type authorization bypass in Apache Artemis's STOMP protocol handler: a user with consume or send permission on an address can augment the routing-type without the createAddress permission. Finally, CVE-2026-45249 (CVSS 6.1) is a stored/reflected XSS in Apache ECharts' Lines series tooltip rendering — if both Lines series and tooltip are used without a user-specified tooltip.formatter, and series.datai.name contains attacker-controlled content, the tooltip can execute arbitrary JavaScript. The fix is in ECharts 6.1.0.
All affected projects have released patched versions. Users of Apache Shiro should upgrade to 2.1.1 or 3.0.0-alpha-2; Airflow users need apache-airflow-providers-fab 3.6.4 and apache-airflow-providers-google 22.0.0; Syncope, Ignite, Flink Kubernetes Operator, Artemis, and ECharts each have specific version bumps noted in their respective advisories. This batch underscores the challenge of securing a sprawling open-source ecosystem — seven projects, seven different fix trains, but a single disclosure window that demands attention from any organization running Apache infrastructure.