Description
UI / API User with asset materialize permission could trigger dags they had no access to.
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
Published: 2026-04-18
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized DAG execution leading to potential arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

A user who has permission to materialize assets can cause a DAG to run through the Airflow UI or API even if the user does not have explicit permission to run that DAG. The flaw allows the user to trigger any DAG that is available in the system, which could lead to execution of code defined in the DAG and therefore compromise the confidentiality, integrity, or availability of the environment. This is a classic missing-authorization weakness categorized as CWE-863.

Affected Systems

All versions of Apache Airflow prior to 3.2.0 are affected. Migrating to Airflow 3.2.0 or newer removes the vulnerability by enforcing proper authorization on DAG triggers.

Risk and Exploitability

The vulnerability requires an authenticated user with asset materialization rights, making it an insider or privileged‑user threat. No EPSS score or CVSS value is provided, and the issue is not listed in the CISA KEV catalog, but the potential impact is high because triggering a malicious DAG could provide an attacker with arbitrary code execution on the Airflow infrastructure. Exploitation would involve the user logging into the Airflow UI or making API calls to trigger the desired DAG and could be accomplished without additional privileges beyond those already granted for asset materialization.

Generated by OpenCVE AI on April 18, 2026 at 08:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Airflow version 3.2.0 or later to obtain the fix that enforces proper DAG trigger authorization
  • If an upgrade is not immediately feasible, revoke or limit asset materialization permissions for users who should not have the ability to trigger DAGs
  • After mitigation, monitor Airflow logs for unauthorized DAG execution attempts to detect any residual or new abuse of the affected functionality

Generated by OpenCVE AI on April 18, 2026 at 08:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Sat, 18 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
Title Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to
Weaknesses CWE-863
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-18T06:28:59.060Z

Reserved: 2026-03-11T11:33:32.883Z

Link: CVE-2026-32228

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T07:16:10.560

Modified: 2026-04-18T07:16:10.560

Link: CVE-2026-32228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses