Impact
The vulnerability is an incorrect authorization flaw that permits a user to view workflow instance details for projects they are not allowed to access, enabling disclosure of potentially sensitive operational data and a confidentiality risk. The issue does not lead to code execution or denial of service; its scope is limited to information leakage and it aligns with CWE-863.
Affected Systems
All deployments of Apache DolphinScheduler before version 3.4.2 are affected. The product is released by the Apache Software Foundation and any deployment that relies on project‑level role checks to protect workflow metadata is subject to the flaw.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires an authenticated session; an attacker with any valid credentials could request workflow information from projects to which they are not authorized, potentially revealing valuable data.
OpenCVE Enrichment
Github GHSA