Skip to main content

Apache DolphinScheduler EUVDEUVD-2026-25413

| CVE-2026-23902 HIGH
Incorrect Authorization (CWE-863)
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

9
Analysis Updated
Apr 27, 2026 - 13:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 27, 2026 - 13:52 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 13:42 nvd
Patch available
Analysis Generated
Apr 24, 2026 - 19:23 vuln.today
CVSS changed
Apr 24, 2026 - 19:22 NVD
8.1 (None) 8.1 (HIGH)
Patch available
Apr 24, 2026 - 13:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 12:21 euvd
EUVD-2026-25413
Analysis Generated
Apr 24, 2026 - 12:21 vuln.today
CVE Published
Apr 24, 2026 - 12:21 nvd
HIGH 8.1

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Tenant authorization bypass in Apache DolphinScheduler versions before 3.4.1 allows authenticated low-privilege users to execute workflows using arbitrary tenant configurations not assigned to their account, exposing high confidentiality and integrity risks. The vulnerability (CWE-863: Incorrect Authorization) enables privilege escalation through tenant context manipulation during workflow execution. Despite a CVSS score of 8.1, EPSS probability is low (0.02%, 4th percentile) with no active exploitation confirmed. Vendor patch is available in version 3.4.1.

Technical ContextAI

Apache DolphinScheduler is a distributed workflow scheduler platform supporting complex DAG workflows across multiple tenants. The vulnerability stems from incorrect authorization enforcement (CWE-863) in the tenant validation mechanism during workflow execution. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) indicates network-accessible exploitation requiring only low-privilege authentication with no user interaction. The CPE string 'cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*' confirms all versions prior to the fix are vulnerable. Tenant isolation failures in multi-tenant workflow platforms can lead to unauthorized access to tenant-specific resources, credentials, execution environments, or data processing contexts not intended for the authenticated user's security boundary.

RemediationAI

Upgrade Apache DolphinScheduler to version 3.4.1 or later, which contains the authorization fix. Download from official Apache repositories and follow standard upgrade procedures documented at https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9. For environments unable to immediately upgrade, implement compensating controls: enforce strict RBAC review to ensure users have minimum required tenant assignments, enable comprehensive audit logging of all workflow submissions with tenant context tracking, implement secondary authorization checks at the workflow execution layer through custom plugins or middleware, and monitor for anomalous tenant usage patterns via SIEM correlation rules. Note that workarounds provide defense-in-depth but do not eliminate the underlying authorization flaw - they add detection capabilities and reduce attack surface but skilled attackers may still bypass tenant restrictions. Production multi-tenant environments should prioritize the upgrade path over compensating controls.

Share

EUVD-2026-25413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy