A bug in Apache Airflow's /ui/dependencies scheduling graph endpoint applied the caller's readable-Dag filter to the top-level serialized Dag key but still emitted referenced Dag IDs through the dep.source and dep.target fields of trigger / sensor dependency entries. An authenticated UI user with read permission on some Dags could enumerate the identifiers of other Dags they were not authorized to read by inspecting the dependency graph for trigger / sensor references. Affects deployments that rely on per-Dag read scoping to keep Dag identifiers private across teams. This is a residual gap in the fix for CVE-2026-28563, which filtered the top-level Dag key but did not propagate the filter into the trigger / sensor dep-source / dep-target fields. Users who already upgraded for CVE-2026-28563 should additionally upgrade to apache-airflow 3.3.0 or later to cover the residual trigger / sensor dependency leak.
CVE-2026-48891
Score 4.3 from GitHub Security Advisory published 2026-07-07. CISA-ADP (Vulnrichment) CVSS v3.1 baseline 4.3; sources differ by 0.0.
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 4.3
- EG Score
- 4.3(high)
- EPSS
- 46.4%
- KEV
- Not listed
Published
July 7, 2026
Last Modified
July 9, 2026
Advisory Details (3)
Auto-updated Jul 9, 2026Filter scheduling-dependencies graph edges by readable-DAG access
Fix merged in apache/airflow PR #67627 on 2026-06-02 — awaiting tagged release
https://github.com/apache/airflow/pull/67627Vendor Advisories for CVE-2026-48891(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| apache-airflow | 1.10.0 ... 3.3.0rc2 (294 versions) | 3.3.0 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 19× in last 7d / 25× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-15 22:10 UTCEG score recompute
- 2026-07-15 22:10 UTCGHSA enrichment
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-14 19:43 UTCEG score recompute
- 2026-07-14 19:43 UTCGHSA enrichment
- 2026-07-13 22:30 UTCEPSS rescore
- 2026-07-13 17:20 UTCEG score recompute
- 2026-07-13 17:20 UTCGHSA enrichment
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 14:57 UTCEG score recompute
- 2026-07-12 14:57 UTCGHSA enrichment
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 12:33 UTCEG score recompute
- 2026-07-11 12:33 UTCGHSA enrichment
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-10 10:10 UTCEG score recompute▲ 4.30
- 2026-07-10 10:10 UTCGHSA enrichment
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-07 13:53 UTCMITRE cvelistV5CVSS v3 → 4.3 · severity → MEDIUM
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 11:56 UTCNVD update
- 2026-07-07 10:07 UTCEG score recompute
- 2026-07-07 10:06 UTCMITRE cvelistV5first tracked
Related CVEs(same CWE)
Same CWE
10 shownCWE-200
Frequently asked(5)
What is CVE-2026-48891?
When was CVE-2026-48891 disclosed?
Is CVE-2026-48891 actively exploited?
What is the CVSS score of CVE-2026-48891?
How do I remediate CVE-2026-48891?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48891
Is Your Infrastructure Affected by CVE-2026-48891?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.