PT-2026-56177 · Apache · Apache Airflow
Jarek Potiuk
·
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-48891
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow versions prior to 3.3.0
Description
A bug in the
/ui/dependencies scheduling graph endpoint allows an authenticated UI user with read permissions on some Dags to enumerate identifiers of other Dags they are not authorized to read. While the system applies a readable-Dag filter to the top-level serialized Dag key, it fails to propagate this filter to the dep.source and dep.target fields of trigger and sensor dependency entries. This issue affects deployments that use per-Dag read scoping to maintain privacy of Dag identifiers across teams.Recommendations
Update to version 3.3.0 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow