Yalguun Tumenkhuu

**Name of the Vulnerable Software and Affected Versions** apache-airflow versions prior to 3.2.2 **Description** The 'partitioned dag runs' endpoints in the UI enforce only asset-level access control instead of per-Dag authorization. This allows an authenticated UI or API user with global `Asset:read` permission to enumerate the partition run state, schedule configuration, and asset wiring for Dags they are not authorized to read. This issue impacts deployments that use per-Dag read scoping while granting users broader Asset access. **Recommendations** Upgrade to version 3.2.2 or later.