High severity7.5NVD Advisory· Published Apr 18, 2026· Updated Apr 21, 2026
CVE-2026-32228
CVE-2026-32228
Description
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflow-corePyPI | >= 3.0.0, < 3.2.0 | 3.2.0 |
Affected products
3- osv-coords2 versions
>= 3.0.0, < 3.2.0+ 1 more
- (no CPE)range: >= 3.0.0, < 3.2.0
- (no CPE)range: >= 3.0.0, < 3.2.0
Patches
Vulnerability mechanics
References
5- www.openwall.com/lists/oss-security/2026/04/17/8nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-h97w-pm3w-mwmcghsaADVISORY
- lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0njnvdVendor AdvisoryMailing ListWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32228ghsaADVISORY
- github.com/apache/airflow/pull/63338nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.