Description
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Published: 2026-06-17
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the system fails to enforce proper project-level access checks while deleting task definitions, allowing a user with system login privileges to remove tasks from projects they are not authorized to manage. This access control flaw (CWE‑863) can disrupt critical workflow processes, potentially causing service disruption and loss of availability.

Affected Systems

The flaw affects Apache Software Foundation’s Apache DolphinScheduler in all versions released before 3.4.2. Any deployment of those releases is susceptible to the unauthorized deletion of task definitions.

Risk and Exploitability

The CVSS score of 4.9 indicates medium impact; the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access with system login privileges and involves the application layer. The attack path is straightforward: an authenticated user leverages the missing project boundary check to delete tasks in unauthorized projects, leading to workflow interruption but not to code execution or data exfiltration.

Generated by OpenCVE AI on June 18, 2026 at 12:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache DolphinScheduler to version 3.4.2 or later to apply the fix for the access control flaw.
  • Revise user role assignments to remove or restrict system login privileges so that only authorized users can delete task definitions within their own projects.
  • Enable detailed logging of delete operations and routinely review logs for any unauthorized task deletions.

Generated by OpenCVE AI on June 18, 2026 at 12:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wh3w-v6gj-fqh2 Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache dolphinscheduler
Vendors & Products Apache
Apache dolphinscheduler

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Title Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
Weaknesses CWE-863
References

Subscriptions

Apache Dolphinscheduler
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-17T11:06:01.798Z

Reserved: 2026-04-19T05:17:56.571Z

Link: CVE-2026-41280

cve-icon Vulnrichment

Updated: 2026-06-17T09:40:02.283Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:04Z

Weaknesses