User Interface/API Permission Vulnerability in Apache Airflow
CVE-2026-32228

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-32228?

A vulnerability in Apache Airflow allows users with asset materialize permissions to trigger Directed Acyclic Graphs (DAGs) they are not authorized to access. This issue could potentially expose sensitive workflows and data to unauthorized manipulation. Users are strongly recommended to upgrade to Airflow version 3.2.0, which addresses this critical permission flaw.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.0

References

https://github.com/apache/airflow/pull/63338

patch

https://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwg...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Masamune - Unit515 OPSWAT

Ahmad Abuzaid

Pierre Jeambrun

CVE-2026-32228 Data

JSON