This vulnerability in Apache Airflow 3.0.0 involves incorrect authorization (CWE-863) where a UI or API user possessing asset materialize permission can trigger DAGs without having explicit access rights to those DAGs. The CVSS 3.1 base score is 7.5, indicating high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to confidentiality. The vendor has released version 3.2.0 to fix this issue. No known exploits are reported in the wild.

An attacker or user with asset materialize permission can trigger DAGs they should not have access to, potentially exposing workflow execution details or causing unintended workflow runs. The impact is limited to unauthorized triggering (confidentiality impact) without affecting integrity or availability. There is no indication of privilege escalation or data modification.

Users should upgrade to Apache Airflow version 3.2.0, which contains the fix for this authorization vulnerability. Since the vendor advisory indicates migration to version 3.2.0 as the remediation, this is the recommended and effective mitigation. No temporary workarounds or additional mitigations are specified.