CVE-2026-32228
Received
Received - Intake
Permission Escalation in Apache Airflow UI/API Allows Unauthorized DAG Triggering
Publication date: 2026-04-18
Last updated on: 2026-04-21
Assigner: Apache Software Foundation
Description
Description
UI / API User with asset materialize permission could trigger dags they had no access to.
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 3.0.0 (inc) to 3.2.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows a UI or API user who has the asset materialize permission to trigger Directed Acyclic Graphs (DAGs) that they normally would not have access to.
How can this vulnerability impact me? :
The impact of this vulnerability is that users with certain permissions could execute workflows (DAGs) they are not authorized to access, potentially leading to unauthorized actions or data processing within the system.
What immediate steps should I take to mitigate this vulnerability?
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70