CVE-2026-32228

HIGH7.5EPSS 0.11%

Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to

Published: 4/18/2026Modified: 4/22/2026

Also known as:GHSA-h97w-pm3w-mwmcBIT-airflow-2026-32228

Description

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

Affected packages (2)

Bitnami/airflow>= 3.0.0, < 3.2.0
PyPI/apache-airflow-core>= 3.0.0, < 3.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32228
PATCHhttps://github.com/apache/airflow
WEBhttps://github.com/apache/airflow/pull/63338
WEBhttps://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0nj
WEBhttp://www.openwall.com/lists/oss-security/2026/04/17/8