Description
Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from missing authorization checks on the experimental "/v2" API of Apache DolphinScheduler. Based on the description, it is inferred that an attacker can make calls to this interface without the required permissions, potentially accessing or modifying scheduler configuration and job definitions. This flaw is identified as CWE‑863, an authorization bypass that can lead to unauthorized data exposure or manipulation.

Affected Systems

All installations of Apache DolphinScheduler before version 3.4.2 are impacted. The issue is present in the experimental "/v2" API irrespective of the deployment environment. The vendor identified is the Apache Software Foundation and the product is DolphinScheduler.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector is through the /v2 API exposed over the network, and that no credentials may be required if the interface is publicly reachable. The EPSS score is below 1%, indicating a very low exploitation probability at this time. The CVSS score of 6.5 indicates moderate severity. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require network access to the scheduler’s API; if the experimental interface is publicly reachable, no credentials may be needed. A malicious actor could use crafted requests to the "/v2" endpoint to elevate privileges or alter job behavior.

Generated by OpenCVE AI on June 18, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading to Apache DolphinScheduler 3.4.2 or later.
  • Disable the experimental "/v2" interface or block its traffic using firewall or reverse‑proxy rules as a temporary workaround.
  • Enforce strict role‑based access control on the scheduler service and monitor API usage for anomalous activity.

Generated by OpenCVE AI on June 18, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-85g9-8j9g-p486 Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache dolphinscheduler
Vendors & Products Apache
Apache dolphinscheduler

Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Title Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Weaknesses CWE-863
References

Subscriptions

Apache Dolphinscheduler
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-17T15:36:12.852Z

Reserved: 2026-03-17T01:51:58.417Z

Link: CVE-2026-32967

cve-icon Vulnrichment

Updated: 2026-06-17T09:39:53.741Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:15:04Z

Weaknesses