{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32228", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-11T11:33:32.883Z", "datePublished": "2026-04-18T06:19:47.512Z", "dateUpdated": "2026-04-20T15:54:05.072Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.2.0", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Masamune - Unit515 OPSWAT"}, {"lang": "en", "type": "finder", "value": "Ahmad Abuzaid"}, {"lang": "en", "type": "remediation developer", "value": "Pierre Jeambrun"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "UI / API User with asset materialize permission could trigger dags they had no access to.<br>Users are advised to migrate to Airflow version 3.2.0 that fixes the issue."}], "value": "UI / API User with asset materialize permission could trigger dags they had no access to.\nUsers are advised to migrate to Airflow version 3.2.0 that fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-18T06:19:47.512Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/63338"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0nj"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/8"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-18T06:28:59.060Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:53:14.387319Z", "id": "CVE-2026-32228", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:54:05.072Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32228", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-11T11:33:32.883Z", "datePublished": "2026-04-18T06:19:47.512Z", "dateUpdated": "2026-04-20T15:54:05.072Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.2.0", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Masamune - Unit515 OPSWAT"}, {"lang": "en", "type": "finder", "value": "Ahmad Abuzaid"}, {"lang": "en", "type": "remediation developer", "value": "Pierre Jeambrun"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "UI / API User with asset materialize permission could trigger dags they had no access to.<br>Users are advised to migrate to Airflow version 3.2.0 that fixes the issue."}], "value": "UI / API User with asset materialize permission could trigger dags they had no access to.\nUsers are advised to migrate to Airflow version 3.2.0 that fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-18T06:19:47.512Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/63338"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0nj"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/8"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-18T06:28:59.060Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32228", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T15:53:14.387319Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:53:57.981Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8133DE3-F556-42F5-8298-FD4CF40787B6", "versionEndExcluding": "3.2.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "UI / API User with asset materialize permission could trigger dags they had no access to.\nUsers are advised to migrate to Airflow version 3.2.0 that fixes the issue."}], "id": "CVE-2026-32228", "lastModified": "2026-04-21T12:54:57.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-18T07:16:10.560", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://github.com/apache/airflow/pull/63338"}, {"source": "security@apache.org", "tags": ["Vendor Advisory", "Mailing List"], "url": "https://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0nj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/8"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.2.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Airflow", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "airflow", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-20T18:44:48.561229+00:00", "value": {"mitigation_remediation": ["Upgrade to Apache Airflow version 3.2.0 or later to obtain the fix that enforces proper DAG trigger authorization", "If an upgrade is not immediately feasible, revoke or limit asset materialization permissions for users who should not have the ability to trigger DAGs", "After mitigation, monitor Airflow logs for unauthorized DAG execution attempts to detect any residual or new abuse of the affected functionality"], "summary": {"action": "Apply Patch", "impact": "Unauthorized DAG execution leading to potential arbitrary code execution"}, "threat_synthesis": {"affected_systems": "All versions of Apache Airflow prior to 3.2.0 are affected. Migrating to Airflow 3.2.0 or newer removes the vulnerability by enforcing proper authorization on DAG triggers.", "description_and_impact": "A user who has permission to materialize assets can cause a DAG to run through the Airflow UI or API even if the user does not have explicit permission to run that DAG. The flaw allows the user to trigger any DAG that is available in the system, which could lead to execution of code defined in the DAG and therefore compromise the confidentiality, integrity, or availability of the environment. This is a classic missing-authorization weakness categorized as CWE-863.", "risk_and_exploitability": "The vulnerability requires an authenticated user with asset materialization rights, making it an insider or privileged\u2011user threat. The CVSS score of 7.5 indicates a high severity, while the EPSS score of <1% suggests a low likelihood of exploitation in the wild; the issue is not listed in the CISA KEV catalog. Given that triggering a malicious DAG could provide an attacker with arbitrary code execution on the Airflow infrastructure, the potential impact remains high. Exploitation would involve the user logging into the Airflow UI or making API calls to trigger the desired DAG, which can be accomplished without privileges beyond those already granted for asset materialization."}}}}, "created": "2026-04-18T08:30:35.702684+00:00", "updated": "2026-04-20T18:45:14.234620+00:00", "vendors": ["apache", "apache$PRODUCT$airflow"]}