Apache DolphinScheduler suffers an Incorrect Authorization flaw that lets authenticated users with system login permissions trigger workflows using tenants that have not been defined on the platform. Because the platform fails to validate the existence of the tenant, attackers can potentially access data or resources belonging to those tenants, effectively elevating privileges and bypassing normal access controls. The weakness is classified as CWE-863, reflecting an authorization failure where more resources are granted than intended.

The issue affects all Apache DolphinScheduler installations running any version earlier than 3.4.1, regardless of the operating environment. Users who have system login rights, whether on production or testing systems, are exposed when they choose an undefined tenant during workflow submission. No additional platform components or external services are mentioned as part of the scope.

The CVSS v3.1 score of 8.1 marks this flaw as high severity, indicating that an exploited instance could lead to significant compromise. The EPSS score is less than 1%, suggesting a low probability of real‑world exploitation currently, yet the absence from the CISA KEV catalog does not negate the risk. The attack requires an authenticated session; the attacker must first log in with system‑level permissions and then select an arbitrary tenant in the workflow interface. Based on the description, the likely attack vector is an authenticated user manipulating the tenant field during workflow execution; no external network exploit is required.