Apache DolphinScheduler security advisories

Security information for Apache DolphinScheduler

Reporting

Do you want disclose a potential security issue for Apache DolphinScheduler? You can read more about the projects’ security policy on their security page, and email your report to the Apache DolphinScheduler Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

General user can mint admin access tokens via /access-tokens

CVE-2026-49050 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-17T01:46:54.058Z

Affected

  • Apache DolphinScheduler before 3.4.2

Description

General user can mint admin access tokens via /access-tokens

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

References

Credits

An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.

CVE-2026-47340 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-17T01:44:26.990Z

Affected

  • Apache DolphinScheduler before 3.4.2

Description

Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

References

Credits

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.

CVE-2026-42357 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-17T06:31:34.851Z

Affected

  • Apache DolphinScheduler before 3.4.1

Description

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue.


References

Credits

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

CVE-2026-41280 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-17T06:32:49.794Z

Affected

  • Apache DolphinScheduler before 3.4.2

Description

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue.


References

Credits

The /v2 experimental interface lacks permission checks

CVE-2026-32967 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-17T01:41:50.516Z

Affected

  • Apache DolphinScheduler before 3.4.2

Description

Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

References

Credits

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure

CVE-2026-32966 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-17T08:48:15.528Z

Affected

  • Apache DolphinScheduler before 3.4.2

Description

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

References

Credits

Users are able to use tenants that are not defined on the platform during workflow execution.

CVE-2026-23902 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-24T10:56:16.919Z

Affected

  • Apache DolphinScheduler before 3.4.1

Description

Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.

This issue affects Apache DolphinScheduler versions prior to 3.4.1. 

Users are recommended to upgrade to version 3.4.1, which fixes this issue.

References

Credits

  • Jihang Yu (reporter)

Deserialization of untrusted data in RPC

CVE-2025-62233 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-24T10:54:53.855Z

Affected

  • Apache DolphinScheduler from 3.2.0 before 3.3.1

Description

Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.

This issue affects Apache DolphinScheduler: 

Version >= 3.2.0 and < 3.3.1.

Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.

Users are recommended to upgrade to version [3.3.1], which fixes the issue.

References

Credits

  • 75Acol, fcgboy, ch0wn, zer0duck (finder)

Users can access sensitive information through the actuator endpoint.

CVE-2025-62188 [CVE] [CVE json]

Last updated: 2026-04-08T09:09:06.393Z

Affected

  • Apache DolphinScheduler from 3.1.0 before 3.2.0

Description

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler.
This vulnerability may allow unauthorized actors to access sensitive information, including database credentials.

This issue affects Apache DolphinScheduler versions 3.1.*.

Users are recommended to upgrade to:

  • version ≥ 3.2.0 if using 3.1.x

As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:

```
MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus
```

Alternatively, add the following configuration to the application.yaml file:

```
management:
   endpoints:
     web:
        exposure:
          include: health,metrics,prometheus
```

This issue has been reported as CVE-2023-48796:
https://cveprocess.apache.org/cve5/CVE-2023-48796


References

Credits

  • w aiyou (finder)
  • 魏大创 (reporter)

Remote Code Execution Vulnerability

CVE-2024-43202 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-20T07:29:41.648Z

Affected

  • Apache DolphinScheduler from 3.0.0 before 3.2.2

Description

Exposure of Remote Code Execution in Apache Dolphinscheduler.

This issue affects Apache DolphinScheduler: before 3.2.2.

We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.

References

Credits

  • an4er (reporter)

CWE-276 Incorrect Default Permissions

CVE-2024-43166 [CVE] [CVE json] [OSV json]

Last updated: 2025-09-18T09:38:13.985Z

Affected

  • Apache DolphinScheduler before 3.2.2

Description

Incorrect Default Permissions vulnerability in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.2.2.

Users are recommended to upgrade to version 3.3.1, which fixes the issue.

References

Credits

  • L0ne1y (reporter)

Alert Script Attack

CVE-2024-43115 [CVE] [CVE json] [OSV json]

Last updated: 2025-09-03T08:38:26.012Z

Affected

  • Apache DolphinScheduler before 3.2.2

Description

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.

This issue affects Apache DolphinScheduler: before 3.2.2.

Users are recommended to upgrade to version 3.3.1, which fixes the issue.


References

Credits

  • L0ne1y (reporter)

Resource File Read And Write Vulnerability

CVE-2024-30188 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-09T12:45:43.623Z

Affected

  • Apache DolphinScheduler from 3.1.0 before 3.2.2

Description

File read and write vulnerability in Apache DolphinScheduler ,  authenticated users can illegally access additional resource files.

This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2.

Users are recommended to upgrade to version 3.2.2, which fixes the issue.

References

Credits

  • L0ne1y (reporter)
  • drun1baby (reporter)
  • Zevi (reporter)
  • Xun Bai (reporter)

RCE by arbitrary js execution

CVE-2024-29831 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-09T14:21:46.981Z

Affected

  • Apache DolphinScheduler through 3.2.1

Description

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.

References

Credits

  • yerest (reporter)
  • L0ne1y (reporter)
  • My Long (reporter)

Arbitrary js execution as root for authenticated users

CVE-2024-23320 [CVE] [CVE json] [OSV json]

Last updated: 2024-02-23T16:36:40.046Z

Affected

  • Apache DolphinScheduler before 3.2.1

Description

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.


This issue is a legacy of CVE-2023-49299. We didn’t fix it completely in CVE-2023-49299, and we added one more patch to fix it.


This issue affects Apache DolphinScheduler: until 3.2.1.


Users are recommended to upgrade to version 3.2.1, which fixes the issue.



References

Credits

  • xuesong.zhou (finder)
  • Nbxiglk (finder)
  • Huang Atao (finder)

Arbitrary File Read Vulnerability

CVE-2023-51770 [CVE] [CVE json] [OSV json]

Last updated: 2024-02-20T06:00:50.765Z

Affected

  • Apache DolphinScheduler from 1.2.0 before 3.2.1

Description

Arbitrary File Read Vulnerability in Apache Dolphinscheduler.

This issue affects Apache DolphinScheduler: before 3.2.1.

We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

References

Credits

  • zhiwei (finder)
  • rg (finder)

Session do not expire after password change

CVE-2023-50270 [CVE] [CVE json]

Last updated: 2024-02-23T10:17:33.021Z

Affected

  • Apache DolphinScheduler from 1.3.8 through 3.2.0

Description

Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.

Users are recommended to upgrade to version 3.2.1, which fixes this issue.

References

Credits

  • lujiefsi (finder)
  • Qing Xu (finder)

Authenticated users could delete UDFs in resource center they were not authorized for

CVE-2023-49620 [CVE] [CVE json] [OSV json]

Last updated: 2023-11-30T08:16:57.761Z

Affected

  • Apache DolphinScheduler from 2.0.0 before 3.1.0

Description

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

References

Credits

  • Yuanheng Lab of zhongfu (finder)

Arbitrary js execute as root for authenticated users

CVE-2023-49299 [CVE] [CVE json] [OSV json]

Last updated: 2023-12-30T16:30:14.065Z

Affected

  • Apache DolphinScheduler before 3.1.9

Description

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.

This issue affects Apache DolphinScheduler: until 3.1.9.

Users are recommended to upgrade to version 3.1.9, which fixes the issue.

References

Credits

  • Eluen Siebene (finder)

Insecure TLS TrustManager used in HttpUtil

CVE-2023-49250 [CVE] [CVE json] [OSV json]

Last updated: 2024-02-20T05:59:07.770Z

Affected

  • Apache DolphinScheduler through 3.2.0

Description

Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server.

This issue affects Apache DolphinScheduler: before 3.2.0.

Users are recommended to upgrade to version 3.2.1, which fixes the issue.


References

Remote Code Execution in Apache Dolphinscheduler

CVE-2023-49109 [CVE] [CVE json] [OSV json]

Last updated: 2024-02-20T06:02:40.133Z

Affected

  • Apache DolphinScheduler from 3.0.0 before 3.2.1

Description

Exposure of Remote Code Execution in Apache Dolphinscheduler.

This issue affects Apache DolphinScheduler: before 3.2.1.

We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

References

Credits

  • Y4tacker and 4ra1n from Y4secTeam (finder)

Information Leakage Vulnerability

CVE-2023-49068 [CVE] [CVE json] [OSV json]

Last updated: 2023-11-27T09:49:38.223Z

Affected

  • Apache DolphinScheduler before 3.2.1

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators.

References

Credits

  • Y4tacker and 4ra1n from Y4secTeam (finder)

Sensitive information disclosure

CVE-2023-48796 [CVE] [CVE json] [OSV json]

Last updated: 2025-11-28T05:01:20.066Z

Affected

  • Apache DolphinScheduler before < 3.0.2 and 3.1.0 < 3.2.0.

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.

The information exposed to unauthorized actors may include sensitive data such as database credentials.

Users who can’t upgrade to the fixed version can also set environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus to workaround this, or add the following section in the application.yaml file


<br>management:<br>&nbsp; endpoints:<br>&nbsp; &nbsp; web:<br>&nbsp; &nbsp; &nbsp; exposure:<br>&nbsp; &nbsp; &nbsp; &nbsp; include: health,metrics,prometheus<br>


This issue affects Apache DolphinScheduler: < 3.0.2 and 3.1.0 < 3.2.0.

Users are recommended to upgrade to version 3.0.6 or 3.3.2

References

Credits

  • whobushibaby (finder)

Apache DolphinScheduler 3.0.0 to 3.1.1 python gateway has improper authentication

CVE-2023-25601 [CVE] [CVE json] [OSV json]

Last updated: 2023-04-20T15:06:54.846Z

Affected

  • Apache DolphinScheduler from 3.0.0 before 3.1.2

Description

On version 3.0.0 through 3.1.1, Apache DolphinScheduler’s python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value python-gateway.enabled=false in configuration file application.yaml. If you are using the python gateway, please upgrade to version 3.1.2 or above.

References

Remote command execution Vulnerability in script alert plugin

CVE-2022-45875 [CVE] [CVE json] [OSV json]

Last updated: 2023-11-22T08:37:58.550Z

Affected

  • Apache DolphinScheduler from 3.0 through 3.0.1
  • Apache DolphinScheduler from 3.1 through 3.1.0

Description

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.
This attack can be performed only by authenticated users which can login to DS.

References

Credits

  • 4ra1n of Chaitin Tech (finder)

Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability

CVE-2022-45462 [CVE] [CVE json] [OSV json]

Last updated: 2022-11-23T02:24:20.816Z

Affected

  • Apache DolphinScheduler from unspecified through 2.0.5

Description

Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

References

Credits

  • This issue was discovered by Jigang Dong of M1QLin Security Team

Apache DolphinScheduler prior to 3.0.0 allows path traversal

CVE-2022-34662 [CVE] [CVE json] [OSV json]

Last updated: 2022-11-01T15:28:47.599Z

Affected

  • Apache DolphinScheduler from Apache DolphinScheduler through 3.0.0-beta-1

Description

When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher

References

Credits

  • This issue was discovered by Jigang Dong of M1QLin Security Team

Apache DolphinScheduler config file read by task risk

CVE-2022-26885 [CVE] [CVE json] [OSV json]

Last updated: 2022-11-24T11:55:57.562Z

Affected

  • Apache DolphinScheduler from Apache DolphinScheduler before 2.0.6

Description

When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.

References

Apache DolphinScheduler exposes files without authentication

CVE-2022-26884 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-28T01:44:55.028Z

Affected

  • Apache DolphinScheduler from Apache DolphinScheduler before 2.0.6

Description

Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.

References

Apache DolphinScheduler user registration is vulnerable to ReDoS attacks

CVE-2022-25598 [CVE] [CVE json] [OSV json]

Last updated: 2022-11-01T03:18:38.664Z

Affected

  • Apache DolphinScheduler from Apache DolphinScheduler before 2.0.5

Description

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.Uncontrolled Resource Consumption vulnerability in COMPONENT of Apache DolphinScheduler allows an attacker to IMPACT. This issue affects Apache DolphinScheduler Apache DolphinScheduler versions prior to 2.0.5.

References

Credits

  • This issue was discovered by Zheng Wang of HIT

DolphinScheduler mysql jdbc connector parameters deserialize remote code execution

CVE-2021-27644 [CVE] [CVE json] [OSV json]

Last updated: 2021-11-01T09:12:08.670Z

Affected

  • Apache DolphinScheduler from Apache DolphinScheduler before 1.3.6

Description

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

References

Credits

  • This issue was discovered by Jinchen Sheng of Ant FG Security Lab

Apache DolphinScheduler (incubating) Permission vulnerability

CVE-2020-13922 [CVE] [CVE json] [OSV json]

Last updated: 2021-01-11T09:18:42.255Z

Affected

  • Apache DolphinScheduler from Apache DolphinScheduler before 1.3.2

Description

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

References

Credits

  • This issue was discovered by xuxiang of DtDream security