Skip to main content

Apache DolphinScheduler CVE-2026-49050

CRITICAL
2026-06-17
Apache Information Disclosure
Share

Severity by source

vuln.today AI
9.9 CRITICAL

Network API endpoint, no complexity, requires only a general user account (PR:L), scope change to admin grants high C/I with limited direct availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 02:18 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical Privilege Escalation in Apache DolphinScheduler - CVE-2026-49050 Jun 17, 2026

AnalysisAI

Privilege escalation in Apache DolphinScheduler before 3.4.2 allows any authenticated general user to mint admin-level access tokens by calling the /access-tokens API endpoint directly, bypassing role-enforcement logic. This effectively grants full administrative control over the workflow scheduling platform to any low-privilege account holder. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain general user credentials
Delivery
Authenticate to DolphinScheduler API
Exploit
POST to /access-tokens endpoint
Execution
Receive admin-scoped access token
Impact
Execute privileged API operations as admin
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated general user account on the target DolphinScheduler instance (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS vector was published with this advisory, so quantitative scoring is entirely inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid general user account on a DolphinScheduler instance - obtained through registration, credential stuffing, or insider access - sends a crafted POST or GET request to the /access-tokens endpoint requesting an admin-scoped token. The server fails to validate that the requester's role permits admin token issuance and returns a valid admin token. …
Remediation The primary fix is to upgrade Apache DolphinScheduler to version 3.4.2, which the vendor confirms resolves this authorization bypass. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all DolphinScheduler deployments and confirm which systems run versions before 3.4.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49050 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy