Skip to main content

Apache DolphinScheduler CVE-2026-42357

| EUVD-2026-37582 CRITICAL
2026-06-17
Apache Information Disclosure
Share

Severity by source

vuln.today AI
4.3 MEDIUM

Network-accessible API flaw requiring a valid authenticated account (PR:L) with impact limited to partial confidentiality exposure of workflow metadata only.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Patch available
Jun 17, 2026 - 11:01 EUVD
Analysis Generated
Jun 17, 2026 - 02:19 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Incorrect Authorization in Apache DolphinScheduler's API layer exposes workflow instance data across project boundaries to authenticated users who lack the required project permissions. All versions prior to 3.4.2 of the org.apache.dolphinscheduler:dolphinscheduler-api component are affected, with the vendor recommending immediate upgrade to 3.4.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege DolphinScheduler account
Delivery
Enumerate or infer target project workflow instance IDs
Exploit
Send unauthorized API request for cross-project workflow instances
Execution
Bypass project-level authorization check in API layer
Impact
Exfiltrate workflow instance metadata including schedules and task configuration
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid, authenticated user account on the targeted Apache DolphinScheduler instance - unauthenticated access is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Severity is rated moderate by the vendor, consistent with an authenticated, read-only information-disclosure flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user holding a low-privilege account scoped to Project A in a shared DolphinScheduler deployment crafts direct API requests - using workflow instance IDs discoverable through timing or enumeration - targeting Project B, to which they have no granted membership. The server returns full workflow instance records including execution history, scheduling parameters, and task configuration for Project B without enforcing project-level authorization. …
Remediation Upgrade Apache DolphinScheduler to version 3.4.2, which contains the authorization fix as confirmed by the Apache security team in the oss-security disclosure (https://seclists.org/oss-sec/2026/q2/955). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify production deployments of DolphinScheduler and assess the sensitivity of workflow data managed within project isolation boundaries. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42357 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy