CVE-2026-32228 PUBLISHED

Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to

Assigner: apache
Reserved: 11.03.2026 Published: 18.04.2026 Updated: 18.04.2026

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Airflow
Versions	Default: unaffected affected from 3.0.0 to 3.2.0 (excl.)

Credits

Masamune - Unit515 OPSWAT finder
Ahmad Abuzaid finder
Pierre Jeambrun remediation developer

References

https://github.com/apache/airflow/pull/63338
https://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0nj

Problem Types

CWE-863: Incorrect Authorization CWE