Information Disclosure in Apache Airflow's Scheduling Graph Endpoint
CVE-2026-48891
Currently unrated
What is CVE-2026-48891?
A flaw in the Apache Airflow scheduling graph endpoint allows authenticated users with read permissions on certain Dags to unintentionally access identifiers of other Dags they are not authorized to view. This issue arises due to a gap in filtering applied to the dependency graph, where the Dag identifiers are exposed through dep.source and dep.target fields despite the top-level serialized Dag key being secured. Users must upgrade to apache-airflow version 3.3.0 or later to mitigate this exposure, particularly if they had already addressed a prior related vulnerability.
Affected Version(s)
Apache Airflow 0 < 3.3.0