Impact
An incorrect authorization check in Apache DolphinScheduler allows any authenticated user to view alert instances of alert groups to which they have no permission. The flaw exposes potentially sensitive operational information to users who should be excluded, thereby enabling an attacker to learn about scheduled jobs, system behavior, and other internal details that may be valuable for further attacks. The vulnerability is a classic example of Unauthorized Access (CWE-200).
Affected Systems
The issue affects all versions of Apache DolphinScheduler released before 3.4.2, including the default packages distributed by the Apache Software Foundation. Any deployment running a pre‑3.4.2 build is susceptible.
Risk and Exploitability
The CVSS score is 6.5, signifying moderate severity. The EPSS score is reported as less than 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. Attack likely requires only a valid user account; an authenticated attacker can simply query or navigate to the alert instance endpoints and view data without additional privileges. Given the lack of advanced attack prerequisites, this vulnerability represents a moderate risk for environments where insider access is possible or where user accounts have higher privileges than necessary.
OpenCVE Enrichment
Github GHSA