How to fix CVE-2026-32228?

Within 24 hours: Inventory all Apache Airflow deployments and identify those running versions 3.0.x through 3.1.x. Within 7 days: Apply vendor-released patch to upgrade Apache Airflow to version 3.2.0 or later across all affected environments. Within 30 days: Conduct access control audit to verify asset materialize permissions are correctly enforced and review DAG execution logs for unauthorized activity during the vulnerable period.

CVE-2026-32228

EUVD-2026-23664 HIGH

Incorrect Authorization (CWE-863)

2026-04-18 apache

GHSA-h97w-pm3w-mwmc

Authentication Bypass

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 13:12 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 20, 2026 - 19:07 vuln.today

cvss_changed

Analysis Generated

Apr 20, 2026 - 16:23 vuln.today

CVSS changed

Apr 20, 2026 - 16:22 NVD

7.5 (HIGH)

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

3 pypi packages depend on apache-airflow-core (2 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionNVD

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

AnalysisAI

Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acyclic Graph) execution via the UI or API, bypassing asset materialize permission checks. Despite CVSS 7.5 HIGH, the CVSS vector (PR:N) contradicts the description's requirement for 'UI/API user with asset materialize permission', suggesting authentication IS required-a critical discrepancy that demands verification. …

RemediationAI

Within 24 hours: Inventory all Apache Airflow deployments and identify those running versions 3.0.x through 3.1.x. Within 7 days: Apply vendor-released patch to upgrade Apache Airflow to version 3.2.0 or later across all affected environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32228 vulnerability details – vuln.today

Back

CVE-2026-32228

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code