CVE-2026-41280 PUBLISHED

Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

Assigner: apache
Reserved: 19.04.2026 Published: 17.06.2026 Updated: 17.06.2026

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue.

Product Status

Vendor Apache Software Foundation
Product Apache DolphinScheduler
Versions Default: unaffected
  • affected from 0 to 3.4.2 (excl.)

Credits

  • Yicheng Yu(https://github.com/FHMTT) finder

References

Problem Types

  • CWE-863 Incorrect Authorization CWE