Apache Airflow: Users with asset materialization permisssions could trigger Dags...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

UI / API User with asset materialize permission could trigger dags they had no access to.
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

Basic Information

ID CVE-2026-32228

Source apache

Published Apr 18, 2026 at 06:19

Modified Apr 20, 2026 at 15:54

Affected Product

Vendor Apache Software Foundation

Product Apache Airflow

Version 3.0.0

Affected Versions Apache Software Foundation Apache Airflow 3.0.0

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "UI / API User with asset materialize permission could trigger dags they had no access to.\nUsers are advised to migrate to Airflow version 3.2.0 that fixes the issue.",
    "published": "2026-04-18T06:19:47.512Z",
    "modified": "2026-04-20T15:54:05.072Z",
    "type": "cve",
    "title": "Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to",
    "source": "apache",
    "references": "https://github.com/apache/airflow/pull/63338\nhttps://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0nj",
    "id": "CVE-2026-32228",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Airflow 3.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Airflow",
    "version": "3.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to_CVE-2026-32228