CVE-2026-23902

Published: Apr 24, 2026Modified: Apr 27, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution. This issue affects Apache DolphinScheduler versions prior to 3.4.1. Users are recommended to upgrade to version 3.4.1, which fixes this issue.

Affected (1)

Products: Apache: Dolphinscheduler

1 product

Dolphinscheduler

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Dolphinscheduler	Before 3.4.1

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2026/04/24/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.