PYSEC-2026-2360

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-core/PYSEC-2026-2360.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2360
Aliases
Published
2026-07-13T15:02:50.801689Z
Modified
2026-07-13T16:42:28.187290787Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions
Details

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

References

Affected packages

PyPI / apache-airflow-core

Package

Name
apache-airflow-core
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.2.0

Affected versions

3.*
3.0.0
3.0.1rc1
3.0.1
3.0.2rc1
3.0.2rc2
3.0.2
3.0.3rc1
3.0.3rc2
3.0.3rc3
3.0.3rc4
3.0.3rc5
3.0.3rc6
3.0.3
3.0.4rc1
3.0.4rc2
3.0.4
3.0.5rc1
3.0.5rc2
3.0.5rc3
3.0.5
3.0.6rc1
3.0.6rc2
3.0.6
3.1.0b1
3.1.0b2
3.1.0rc1
3.1.0rc2
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1
3.1.2rc1
3.1.2rc2
3.1.2
3.1.3rc1
3.1.3
3.1.4rc1
3.1.4rc2
3.1.4
3.1.5rc1
3.1.5
3.1.6rc1
3.1.6
3.1.7rc1
3.1.7rc2
3.1.7
3.1.8rc1
3.1.8rc2
3.1.8
3.2.0b1
3.2.0b2
3.2.0rc1
3.2.0rc2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-core/PYSEC-2026-2360.yaml"