CVE-2026-41014

Name of the Vulnerable Software and Affected Versions apache-airflow versions prior to 3.2.2

Description The 'partitioned dag runs' endpoints in the UI enforce only asset-level access control instead of per-Dag authorization. This allows an authenticated UI or API user with global Asset:read permission to enumerate the partition run state, schedule configuration, and asset wiring for Dags they are not authorized to read. This issue impacts deployments that use per-Dag read scoping while granting users broader Asset access.

Recommendations Upgrade to version 3.2.2 or later.