Critical Privilege Escalation in Apache DolphinScheduler - CVE-2026-49050

Incorrect Authorization in Apache DolphinScheduler's experimental `/v2` API interface permits authenticated users to invoke privileged operations without undergoing permission validation. All releases of the `dolphinscheduler-api` module prior to 3.4.2 are affected. An attacker with a valid account can bypass role-based access controls enforced on the stable API surface by routing requests through the unguarded `/v2` endpoint, potentially performing administrative workflow, datasource, or tenant operations beyond their granted privilege level. No public exploit code or CISA KEV listing has been identified at time of analysis.

Missing authorization check in the Apache DolphinScheduler DataSource API exposes arbitrary data source metadata to users who lack permission to view it, affecting all versions before 3.4.2. Authenticated users with low-privilege access can query the DataSource API and retrieve connection metadata - such as hostnames, ports, database names, and usernames - belonging to data sources they are not authorized to access. No public exploit or active exploitation has been identified at time of analysis, and the Apache Software Foundation has rated this moderate severity, consistent with a confidentiality-only impact against an internal platform.

Incorrect Authorization in Apache DolphinScheduler's API layer exposes workflow instance data across project boundaries to authenticated users who lack the required project permissions. All versions prior to 3.4.2 of the org.apache.dolphinscheduler:dolphinscheduler-api component are affected, with the vendor recommending immediate upgrade to 3.4.2. No public exploit has been identified and the vulnerability is not listed in CISA KEV; real-world risk is concentrated in multi-tenant deployments where project isolation is the primary access control boundary.

Incorrect Authorization in Apache DolphinScheduler's API module (versions prior to 3.4.2) allows any authenticated user holding basic system login privileges to delete task definitions belonging to projects outside their authorized scope. The flaw bypasses project-level access controls server-side, enabling cross-project destructive operations without requiring elevated roles. No public exploit has been identified at time of analysis, and no KEV listing exists; moderate severity reflects the authentication prerequisite and the impact being limited to data destruction rather than exfiltration or code execution.

Incorrect authorization in Apache DolphinScheduler before 3.4.2 allows authenticated users to read alert instances belonging to alert groups outside their assigned permissions. The API component (org.apache.dolphinscheduler:dolphinscheduler-api) fails to enforce permission boundaries between alert groups and their associated alert instances, constituting a broken access control flaw. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the moderate severity rating reflects the authentication prerequisite and limited confidentiality impact.