Auth bypass in Apache Software Foundation Airflow

CVE-2026-32228

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

Vulnerability class: Broken Access Control

EPSS: 0.001 (28.3th percentile) — read the EPSS interpretation.