Skip to main content

Apache DolphinScheduler CVE-2026-47340

| EUVD-2026-37584 CRITICAL
2026-06-17
Apache Information Disclosure
Share

Severity by source

vuln.today AI
4.3 MEDIUM

Network-accessible API requires valid credentials (PR:L); impact is read-only access to alert instance data (C:L), with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Patch available
Jun 17, 2026 - 11:01 EUVD
Analysis Generated
Jun 17, 2026 - 02:19 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical Incorrect Authorization in Apache DolphinScheduler <3.4.2 - CVE-2026-47340 Jun 17, 2026

AnalysisAI

Incorrect authorization in Apache DolphinScheduler before 3.4.2 allows authenticated users to read alert instances belonging to alert groups outside their assigned permissions. The API component (org.apache.dolphinscheduler:dolphinscheduler-api) fails to enforce permission boundaries between alert groups and their associated alert instances, constituting a broken access control flaw. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid DolphinScheduler credentials
Delivery
Authenticate to the DolphinScheduler API server
Exploit
Enumerate alert group and instance resource identifiers
Execution
Query alert instance endpoint with out-of-scope identifiers
Impact
Read unauthorized alert instance configuration data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must be an authenticated user of the Apache DolphinScheduler instance - no public exploit or unauthenticated path is identified. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor rates this vulnerability as moderate, which is consistent with an independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated DolphinScheduler user with access only to alert group A queries the API endpoint for alert instances and, by manipulating resource identifiers, retrieves alert instance records associated with alert group B - a group to which they have no assigned permissions. This could expose sensitive data such as notification webhook URLs, email addresses, or credentials configured in alert plugins belonging to other teams or administrative groups.
Remediation The primary fix is to upgrade Apache DolphinScheduler to version 3.4.2 or later, as confirmed by the Apache project advisory at https://dolphinscheduler.apache.org and the oss-security disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all DolphinScheduler deployments and versions in use; restrict network access to alert management API endpoints via firewall or WAF. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47340 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy