oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-32228: Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to

From: Rahul Vats <rahulvats () apache org>
Date: Fri, 17 Apr 2026 10:31:25 +0000
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.2.0

Description:

UI / API User with asset materialize permission could trigger dags they had no access to.
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

Credit:

Masamune - Unit515 OPSWAT (finder)
Ahmad Abuzaid (finder)
Pierre Jeambrun (remediation developer)

References:

https://github.com/apache/airflow/pull/63338
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-32228
Previous By Date Next
Previous By Thread Next

Current thread: