GHSA-h97w-pm3w-mwmc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h97w-pm3w-mwmc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h97w-pm3w-mwmc/GHSA-h97w-pm3w-mwmc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h97w-pm3w-mwmc
- Aliases
-
- BIT-airflow-2026-32228
- CVE-2026-32228
- Downstream
- Published
- 2026-04-18T09:30:20Z
- Modified
- 2026-04-22T17:40:58.912622726Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions
- Details
-
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
- Database specific
{ "github_reviewed": true, "severity": "HIGH", "github_reviewed_at": "2026-04-22T17:25:30Z", "nvd_published_at": "2026-04-18T07:16:10Z", "cwe_ids": [ "CWE-863" ] }- References
Affected packages
PyPI / apache-airflow-core
Package
- Name
- apache-airflow-core
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow-core
Affected versions
3.*
3.0.0
3.0.1rc1
3.0.1
3.0.2rc1
3.0.2rc2
3.0.2
3.0.3rc1
3.0.3rc2
3.0.3rc3
3.0.3rc4
3.0.3rc5
3.0.3rc6
3.0.3
3.0.4rc1
3.0.4rc2
3.0.4
3.0.5rc1
3.0.5rc2
3.0.5rc3
3.0.5
3.0.6rc1
3.0.6rc2
3.0.6
3.1.0b1
3.1.0b2
3.1.0rc1
3.1.0rc2
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1
3.1.2rc1
3.1.2rc2
3.1.2
3.1.3rc1
3.1.3
3.1.4rc1
3.1.4rc2
3.1.4
3.1.5rc1
3.1.5
3.1.6rc1
3.1.6
3.1.7rc1
3.1.7rc2
3.1.7
3.1.8rc1
3.1.8rc2
3.1.8
3.2.0b1
3.2.0b2
3.2.0rc1
3.2.0rc2