Description
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.

This issue affects Apache DolphinScheduler versions prior to 3.4.2.


Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an incorrect authorization flaw that permits a user to view workflow instance details for projects they are not allowed to access, enabling disclosure of potentially sensitive operational data and a confidentiality risk. The issue does not lead to code execution or denial of service; its scope is limited to information leakage and it aligns with CWE-863.

Affected Systems

All deployments of Apache DolphinScheduler before version 3.4.2 are affected. The product is released by the Apache Software Foundation and any deployment that relies on project‑level role checks to protect workflow metadata is subject to the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires an authenticated session; an attacker with any valid credentials could request workflow information from projects to which they are not authorized, potentially revealing valuable data.

Generated by OpenCVE AI on June 18, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache DolphinScheduler to version 3.4.2 or later to apply the authorized fix.
  • Restrict users to the minimal project roles required and enforce strict role‑based access controls to prevent unauthorized queries.
  • Enable audit logging for workflow instance requests and regularly review logs for access from users outside the relevant projects.
  • If an immediate upgrade is not possible, temporarily block API endpoints that expose workflow instance details until the fix is deployed.

Generated by OpenCVE AI on June 18, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wv7f-c794-82v6 Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache dolphinscheduler
Vendors & Products Apache
Apache dolphinscheduler

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Title Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
Weaknesses CWE-863
References

Subscriptions

Apache Dolphinscheduler
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-17T15:35:11.670Z

Reserved: 2026-04-26T14:44:49.319Z

Link: CVE-2026-42357

cve-icon Vulnrichment

Updated: 2026-06-17T09:40:04.112Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:30:16Z

Weaknesses