Platform
python
Component
apache-airflow
Fixed in
3.2.0
3.2.0
CVE-2026-32228 describes an authorization bypass vulnerability discovered in Apache Airflow. This flaw allows a user with asset materialize permissions to trigger Directed Acyclic Graphs (DAGs) that they should not have access to, potentially leading to unauthorized task execution and data manipulation. The vulnerability affects versions 3.0.0 through 3.2.0 and is resolved in version 3.2.0.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive data and resources within the Airflow environment. By triggering DAGs they shouldn't be able to, they could initiate tasks that modify data, execute arbitrary code (depending on the DAG's configuration), or access restricted areas of the system. The blast radius extends to any data or services managed by the triggered DAGs. This could lead to data breaches, system compromise, and disruption of critical workflows. While the initial access requires asset materialize permissions, the subsequent impact depends entirely on the privileges granted to the DAGs themselves.
CVE-2026-32228 was publicly disclosed on 2026-04-18. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is released. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.10% (26% percentile)
The primary mitigation for CVE-2026-32228 is to upgrade Apache Airflow to version 3.2.0 or later, which contains the fix. If upgrading is not immediately feasible, consider restricting asset materialize permissions to only trusted users. Implement strict access controls within your DAGs to limit the privileges granted to individual tasks. Regularly review and audit user permissions to ensure they align with the principle of least privilege. There are no specific WAF rules or detection signatures readily available for this vulnerability, so focusing on access control and timely patching is crucial.
Update Apache Airflow to version 3.2.0 or higher to mitigate the risk. This version corrects the vulnerability that allows users with asset materialize permissions to trigger DAGs they should not have access to.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32228 is a vulnerability in Apache Airflow versions 3.0.0–3.2.0 that allows users with asset materialize permissions to trigger DAGs they shouldn't have access to, potentially leading to unauthorized task execution.
You are affected if you are running Apache Airflow versions 3.0.0 through 3.2.0. Upgrade to version 3.2.0 or later to mitigate the vulnerability.
The recommended fix is to upgrade Apache Airflow to version 3.2.0 or later. Restrict asset materialize permissions to trusted users as an interim measure.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is released.
Refer to the Apache Airflow security advisories page for the latest information: [https://airflow.apache.org/security/](https://airflow.apache.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.