CVE-2026-32228

Low

Low Medium High Critical

CVSS Score

Published: Apr 18, 2026

Last Modified: Apr 18, 2026

Vulnerability Description

UI / API User with asset materialize permission could trigger dags they had no access to.
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

References & Resources

https://github.com/apache/airflow/pull/63338
security@apache.org
https://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0nj
security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/17/8
af854a3a-2127-422b-91ae-364da2661108

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-863 Top 25 #24

Incorrect Authorization

Description: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Exploit Likelihood: High
Typical Severity: High
OWASP Top 10: A01:2021-Broken Access Control
Abstraction Level: Class

View CWE Details on MITRE

Key Information

Published Date: April 18, 2026

External Resources

NIST NVD

National Vulnerability Database

MITRE CVE

Official CVE record

CVE Vulnerabilities

Posts & Pages