PT-2026-56177 · Apache · Apache Airflow

Jarek Potiuk

·

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-48891

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.3.0
Description A bug in the /ui/dependencies scheduling graph endpoint allows an authenticated UI user with read permissions on some Dags to enumerate identifiers of other Dags they are not authorized to read. While the system applies a readable-Dag filter to the top-level serialized Dag key, it fails to propagate this filter to the dep.source and dep.target fields of trigger and sensor dependency entries. This issue affects deployments that use per-Dag read scoping to maintain privacy of Dag identifiers across teams.
Recommendations Update to version 3.3.0 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48891

Affected Products

Apache Airflow