CVE-2026-41280 | Incorrect Authorization vulnerability allows users with syst… | CVSS 4.9 MEDIUM

Description

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.

Metadata

CVE ID: CVE-2026-41280
State: PUBLISHED
Assigner: apache
Reserved: 2026-04-19 05:17 UTC
Published: 2026-06-17 08:55 UTC
Last updated: 2026-06-17 11:06 UTC
Primary CWE: CWE-863
CWE-863 Incorrect Authorization
Vendor / Product: Apache Software Foundation / Apache DolphinScheduler
Sources: cve.org · NVD

Severity & Metrics

4.9 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache DolphinScheduler	—	0 < 3.4.2

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863 Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.9	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References (1)

https://lists.apache.org/thread/5bv1njp3lbbbj11y20td5yz1b4nmrtvw