High severity7.5NVD Advisory· Published Apr 18, 2026· Updated Apr 21, 2026
CVE-2026-32228
CVE-2026-32228
Description
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflow-corePyPI | >= 3.0.0, < 3.2.0 | 3.2.0 |
Affected products
1Patches
16d0142061caehttps://github.com/apache/airflowvia nvd-ref
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.openwall.com/lists/oss-security/2026/04/17/8nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-h97w-pm3w-mwmcghsaADVISORY
- lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0njnvdVendor AdvisoryMailing ListWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32228ghsaADVISORY
- github.com/apache/airflow/pull/63338nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.