Impact
The vulnerability arises when the system fails to enforce proper project-level access checks while deleting task definitions, allowing a user with system login privileges to remove tasks from projects they are not authorized to manage. This access control flaw (CWE‑863) can disrupt critical workflow processes, potentially causing service disruption and loss of availability.
Affected Systems
The flaw affects Apache Software Foundation’s Apache DolphinScheduler in all versions released before 3.4.2. Any deployment of those releases is susceptible to the unauthorized deletion of task definitions.
Risk and Exploitability
The CVSS score of 4.9 indicates medium impact; the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access with system login privileges and involves the application layer. The attack path is straightforward: an authenticated user leverages the missing project boundary check to delete tasks in unauthorized projects, leading to workflow interruption but not to code execution or data exfiltration.
OpenCVE Enrichment
Github GHSA