Description
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect authorization check in Apache DolphinScheduler allows any authenticated user to view alert instances of alert groups to which they have no permission. The flaw exposes potentially sensitive operational information to users who should be excluded, thereby enabling an attacker to learn about scheduled jobs, system behavior, and other internal details that may be valuable for further attacks. The vulnerability is a classic example of Unauthorized Access (CWE-200).

Affected Systems

The issue affects all versions of Apache DolphinScheduler released before 3.4.2, including the default packages distributed by the Apache Software Foundation. Any deployment running a pre‑3.4.2 build is susceptible.

Risk and Exploitability

The CVSS score is 6.5, signifying moderate severity. The EPSS score is reported as less than 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. Attack likely requires only a valid user account; an authenticated attacker can simply query or navigate to the alert instance endpoints and view data without additional privileges. Given the lack of advanced attack prerequisites, this vulnerability represents a moderate risk for environments where insider access is possible or where user accounts have higher privileges than necessary.

Generated by OpenCVE AI on June 18, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache DolphinScheduler to version 3.4.2 or later to apply the vendor fix.
  • Restrict access to alert groups by implementing stricter role‑based access controls so that only authorized users can view alert instances.
  • Monitor logs for any unauthorized access to alert endpoints and audit user permissions regularly to ensure the fix remains enforced.

Generated by OpenCVE AI on June 18, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-694g-j8pj-cjj5 Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache dolphinscheduler
Vendors & Products Apache
Apache dolphinscheduler

Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Title Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.
Weaknesses CWE-200
References

Subscriptions

Apache Dolphinscheduler
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-17T15:37:28.582Z

Reserved: 2026-05-19T11:34:37.241Z

Link: CVE-2026-47340

cve-icon Vulnrichment

Updated: 2026-06-17T09:40:13.474Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:45:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor