Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3110 articles · 172043 vulns · 37/41 feeds (7d)
← Back to list
4.3
CVE-2026-48891EXPLOITEDPATCHED
apache software foundation · apache airflow

Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target

Description

A bug in Apache Airflow's `/ui/dependencies` scheduling graph endpoint applied the caller's readable-Dag filter to the top-level serialized Dag key but still emitted referenced Dag IDs through the `dep.source` and `dep.target` fields of trigger / sensor dependency entries. An authenticated UI user with read permission on some Dags could enumerate the identifiers of other Dags they were not authorized to read by inspecting the dependency graph for trigger / sensor references. Affects deployments that rely on per-Dag read scoping to keep Dag identifiers private across teams. This is a residual gap in the fix for CVE-2026-28563, which filtered the top-level Dag key but did not propagate the filter into the trigger / sensor dep-source / dep-target fields. Users who already upgraded for CVE-2026-28563 should additionally upgrade to `apache-airflow` 3.3.0 or later to cover the residual trigger / sensor dependency leak.

Affected Products

VendorProductVersions
apache software foundationapache airflow0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apacheairflowcert_advisory90%

References

  • https://github.com/apache/airflow/pull/67627(patch)
  • https://www.cve.org/CVERecord?id=CVE-2026-28563(related)
  • https://lists.apache.org/thread/wzc8nflg94rq6w8f5tvtlo0o3g4wjrfl(vendor-advisory)

Related News (2 articles)

Tier B
BSI Advisories10h ago
[NEU] [mittel] Apache Airflow: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
oss-security11h ago
CVE-2026-48891: Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
→ No new info (linked only)
CVSS 3.14.3 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
3.3.0
CWECWE-200
PublishedJul 7, 2026
Last enriched10h agov2
Trending Score52
Source articles2
Independent2
Info Completeness9/14
Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-33264EXP
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Trending: 76
MEDIUMCVE-2026-48892EXP
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Trending: 55
MEDIUMCVE-2026-48828EXP
Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Trending: 55
NONECVE-2026-49487EXP
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Trending: 52
CRITICALCVE-2026-53913
Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted
Trending: 44

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 7, 2026
Discovered by ZDM
Jul 7, 2026
Updated: severity, affectedVersions, exploitAvailable, activelyExploited
Jul 7, 2026
Actively Exploited
Jul 7, 2026
Exploit Available
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v2
Last enriched 10h ago
v2Tier C10h ago

Updated severity to LOW, marked exploit as available, and noted active exploitation.

severityaffectedVersionsexploitAvailableactivelyExploited
via oss-security
v111h ago

Initial creation