Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login...

4.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Description

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue.

Basic Information

ID CVE-2026-41280

Source apache

Published Jun 17, 2026 at 08:55

Modified Jun 17, 2026 at 11:06

Affected Product

Vendor Apache Software Foundation

Product Apache DolphinScheduler

Affected Versions Apache Software Foundation Apache DolphinScheduler 0

CWE Classification

CWE-863

References

lists.apache.org /thread/5bv1njp3lbbbj11y20td5yz1b4nmrtvw

{
    "lastseen": "",
    "description": "Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.2. \n\nUsers are recommended to upgrade to version 3.4.2, which fixes this issue.",
    "published": "2026-06-17T08:55:29.988Z",
    "modified": "2026-06-17T11:06:01.798Z",
    "type": "cve",
    "title": "Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects",
    "source": "apache",
    "references": "https://lists.apache.org/thread/5bv1njp3lbbbj11y20td5yz1b4nmrtvw",
    "id": "CVE-2026-41280",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache DolphinScheduler 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache DolphinScheduler",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects_CVE-2026-41280