CVE-2026-32228

CVE-2026-32228: Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to

Vendor Apache Software Foundation

Product Apache Airflow

Weakness CWE-863 · Incorrect authorization

Published April 18, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

Key dates

Disclosure timeline

April 18, 2026 CVE published

April 20, 2026 Record updated