Impact
The vulnerability stems from missing authorization checks on the experimental "/v2" API of Apache DolphinScheduler. Based on the description, it is inferred that an attacker can make calls to this interface without the required permissions, potentially accessing or modifying scheduler configuration and job definitions. This flaw is identified as CWE‑863, an authorization bypass that can lead to unauthorized data exposure or manipulation.
Affected Systems
All installations of Apache DolphinScheduler before version 3.4.2 are impacted. The issue is present in the experimental "/v2" API irrespective of the deployment environment. The vendor identified is the Apache Software Foundation and the product is DolphinScheduler.
Risk and Exploitability
Based on the description, it is inferred that the likely attack vector is through the /v2 API exposed over the network, and that no credentials may be required if the interface is publicly reachable. The EPSS score is below 1%, indicating a very low exploitation probability at this time. The CVSS score of 6.5 indicates moderate severity. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require network access to the scheduler’s API; if the experimental interface is publicly reachable, no credentials may be needed. A malicious actor could use crafted requests to the "/v2" endpoint to elevate privileges or alter job behavior.
OpenCVE Enrichment
Github GHSA