CVE-2026-42357 | Incorrect Authorization vulnerability allows users to access… | CVSS 6.5 MEDIUM

Description

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.

Metadata

CVE ID: CVE-2026-42357
State: PUBLISHED
Assigner: apache
Reserved: 2026-04-26 14:44 UTC
Published: 2026-06-17 08:56 UTC
Last updated: 2026-06-17 15:35 UTC
Primary CWE: CWE-863
CWE-863 Incorrect Authorization
Vendor / Product: Apache Software Foundation / Apache DolphinScheduler
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache DolphinScheduler	—	0 < 3.4.1

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863 Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (1)

https://lists.apache.org/thread/74l2rrz32w2chn7vz64313gk7ox5wjtr