What is the CVSS score of EUVD-2026-37581?

EUVD-2026-37581 has a CVSS 3.1 base score of 4.9 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N.

Which versions of Apache DolphinScheduler are affected by EUVD-2026-37581?

Apache DolphinScheduler versions prior to 3.4.2 contain an authorization bypass in the API module allowing authenticated users to delete workflow task definitions from projects outside their assigned…. A patch is available.

How to fix or mitigate EUVD-2026-37581?

Within 24 hours: Inventory all systems running Apache DolphinScheduler and determine versions (pre-3.4.2 indicates exposure). Within 7 days: Upgrade to DolphinScheduler 3.4.2 or later, or implement compensating controls if immediate upgrade is infeasible. Within 30 days: Conduct comprehensive access control audit across all DolphinScheduler projects and enforce least-privilege API restrictions limiting users to essential projects only.

Apache DolphinScheduler EUVD-2026-37581

| CVE-2026-41280 MEDIUM

Incorrect Authorization (CWE-863)

2026-06-17

Apache Authentication Bypass

4.9

CVSS 3.1 · NVD

Severity by source

Vendor (CNA) PRIMARY

MEDIUM

qualitative

NVD

4.9 MEDIUM

AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

vuln.today AI

5.4 MEDIUM

Network-accessible API requires a valid login (PR:L, AV:N); task deletion yields limited integrity and availability impact with no confidentiality loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

Jun 17, 2026 - 11:01 EUVD

Analysis Generated

Jun 17, 2026 - 02:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical Incorrect Authorization in Apache DolphinScheduler API - CVE-2026-41280 Jun 17, 2026

AnalysisAI

Incorrect Authorization in Apache DolphinScheduler's API module (versions prior to 3.4.2) allows any authenticated user holding basic system login privileges to delete task definitions belonging to projects outside their authorized scope. The flaw bypasses project-level access controls server-side, enabling cross-project destructive operations without requiring elevated roles. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with low-privilege system account

Delivery

Enumerate task definition IDs across projects

Exploit

Craft deletion API request for unauthorized project task

Execution

Server skips project-level authorization check

Impact

Task definition permanently deleted in victim project

Access

Authenticate with low-privilege system account

Delivery

Enumerate task definition IDs across projects

Exploit

Craft deletion API request for unauthorized project task

Execution

Server skips project-level authorization check

Impact

Task definition permanently deleted in victim project

Vulnerability AssessmentAI

Exploitation	Exploitation requires a valid authenticated session on the target Apache DolphinScheduler instance - any account with system login privileges is sufficient, and no elevated role (admin, project owner) is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	No CVSS vector was provided by NVD or the Apache advisory, so all metric assessments are inferred from the vulnerability description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker with a low-privilege DolphinScheduler account enumerates task definition identifiers across projects (e.g., via API responses or error messages) and identifies tasks belonging to a project they have no authorization to manage. The attacker submits a deletion API request referencing those task IDs; because project-level authorization is not enforced, the server accepts and processes the request, permanently deleting workflow task definitions and disrupting pipelines in the victim project. …
Remediation	Upgrade Apache DolphinScheduler to version 3.4.2 or later, which is the vendor-confirmed fix per the Apache advisory (https://dolphinscheduler.apache.org) and oss-security disclosure (https://seclists.org/oss-sec/2026/q2/958). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Apache DolphinScheduler and determine versions (pre-3.4.2 indicates exposure). …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-37581 vulnerability details – vuln.today

Back

Apache DolphinScheduler EUVD-2026-37581

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Description PRE-NVD

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code