CVE-2026-32228
Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions
7.5
HIGH
CVSS 3.1
EPSS 0.11%
Description
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
How to fix CVE-2026-32228
To remediate CVE-2026-32228, upgrade the affected package to a fixed version below.
- Bitnami/airflow—upgrade to 3.2.0 or later
- —upgrade to 3.2.0 or later
Is CVE-2026-32228 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 3.0.0, < 3.2.0
- >= 3.0.0, < 3.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |