CVE-2026-48891 Overview
CVE-2026-48891 is an information disclosure vulnerability in Apache Airflow's /ui/dependencies scheduling graph endpoint. The endpoint applies the caller's readable-Dag filter to the top-level serialized Dag key but fails to propagate that filter to the dep.source and dep.target fields of trigger and sensor dependency entries. An authenticated UI user with read access to a subset of Dags can enumerate identifiers of Dags they are not authorized to view. The flaw is a residual gap in the fix for CVE-2026-28563, which addressed the top-level key but did not extend filtering to referenced dependency fields. Deployments relying on per-Dag read scoping to maintain identifier privacy across teams are affected.
Critical Impact
Authenticated users with limited Dag read permissions can enumerate hidden Dag identifiers through trigger and sensor dependency references, breaking per-Dag access boundaries in multi-tenant Airflow deployments.
Affected Products
- Apache Airflow versions prior to 3.3.0
- Deployments that upgraded for CVE-2026-28563 but not to 3.3.0
- Multi-team Airflow instances relying on per-Dag read scoping
Discovery Timeline
- 2026-07-07 - CVE-2026-48891 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-48891
Vulnerability Analysis
The vulnerability resides in the serialization logic of the /ui/dependencies endpoint, which returns a graph describing scheduling relationships between Dags. When a user requests the graph, Airflow filters the top-level serialized Dag key according to the caller's readable-Dag permissions. However, each dependency entry also contains dep.source and dep.target fields referencing related Dag identifiers for trigger and sensor relationships. These reference fields bypass the readable-Dag filter and expose the raw identifiers regardless of the caller's authorization scope. The issue is classified as an Information Exposure weakness under CWE-200. The attacker gains identifier enumeration rather than data content, but this can undermine team-level tenancy assumptions and support further reconnaissance.
Root Cause
The fix for the earlier CVE-2026-28563 introduced authorization filtering at the top-level Dag key of the dependency graph response but did not recursively apply the same filter to nested dependency reference fields. The dep.source and dep.target values are emitted directly from the internal dependency model without checking whether the requesting user has read permission on the referenced Dags.
Attack Vector
An authenticated user with UI access and read permission on at least one Dag issues a request to the /ui/dependencies endpoint. The response contains trigger and sensor dependency entries whose dep.source and dep.target fields disclose the identifiers of Dags outside the user's authorized read scope. No elevated privileges or user interaction are required. Exploitation involves parsing the JSON response to collect unauthorized Dag identifiers for enumeration or subsequent targeted probing.
For implementation-level details of the fix, refer to the Apache Airflow Pull Request 67627 and the Apache Airflow security advisory.
Detection Methods for CVE-2026-48891
Indicators of Compromise
- Repeated authenticated requests to the /ui/dependencies endpoint from users with narrow Dag permission scopes
- Access patterns where a single account inspects the dependency graph without following up with reads on Dags it owns
- Unexpected references to previously unknown Dag identifiers appearing in downstream user activity or API calls
Detection Strategies
- Audit Airflow web server access logs for GET /ui/dependencies requests grouped by user, and correlate with the user's readable-Dag scope
- Compare Dag identifiers returned in dependency graph responses against each user's authorized read set to flag disclosure events
- Track version metadata from Airflow deployments and alert on instances running versions prior to 3.3.0
Monitoring Recommendations
- Enable verbose audit logging for the Airflow REST and UI endpoints, including the requesting principal and response size
- Forward Airflow application logs to a centralized log platform and build queries to identify unusual /ui/dependencies traffic
- Baseline normal dependency-graph query rates per user role and alert on statistically significant deviations
How to Mitigate CVE-2026-48891
Immediate Actions Required
- Upgrade Apache Airflow to version 3.3.0 or later, including deployments that previously upgraded only to address CVE-2026-28563
- Inventory all Airflow instances and identify tenants that depend on per-Dag read scoping for identifier confidentiality
- Review recent access logs for the /ui/dependencies endpoint to determine whether unauthorized enumeration has already occurred
Patch Information
The fix is delivered in apache-airflow version 3.3.0. The patch propagates the readable-Dag filter into the dep.source and dep.target fields of trigger and sensor dependency entries returned by /ui/dependencies. See the upstream pull request and the Apache announcement thread for details. Users who applied the earlier fix for CVE-2026-28563 must still upgrade to close this residual gap.
Workarounds
- Restrict access to the Airflow UI to trusted operators until the upgrade to 3.3.0 is completed
- Where feasible, place a reverse proxy in front of Airflow to block or heavily rate-limit requests to the /ui/dependencies path for lower-privileged roles
- Avoid treating Dag identifiers as sensitive secrets in shared Airflow deployments; assume names may be enumerable until patched
# Configuration example
pip install --upgrade 'apache-airflow>=3.3.0'
# Verify the installed version
airflow version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

