{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23902", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-18T04:07:20.514Z", "datePublished": "2026-04-24T10:56:18.289Z", "dateUpdated": "2026-04-24T18:33:34.025Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.dolphinscheduler:dolphinscheduler-api", "product": "Apache DolphinScheduler", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.4.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Jihang Yu"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.<br><br>This issue affects Apache DolphinScheduler versions prior to 3.4.1.&nbsp;</p><p>Users are recommended to upgrade to version 3.4.1, which fixes this issue.<br></p>"}], "value": "Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.1.\u00a0\n\nUsers are recommended to upgrade to version 3.4.1, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-24T10:56:18.289Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/24/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T11:28:42.712Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T18:25:12.669237Z", "id": "CVE-2026-23902", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:33:34.025Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/24/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T11:28:42.712Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T18:25:12.669237Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:25:25.463Z"}}], "cna": {"title": "Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Jihang Yu"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache DolphinScheduler", "versions": [{"status": "affected", "version": "0", "lessThan": "3.4.1", "versionType": "semver"}], "packageName": "org.apache.dolphinscheduler:dolphinscheduler-api", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.1.\u00a0\n\nUsers are recommended to upgrade to version 3.4.1, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.<br><br>This issue affects Apache DolphinScheduler versions prior to 3.4.1.&nbsp;</p><p>Users are recommended to upgrade to version 3.4.1, which fixes this issue.<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-24T10:56:18.289Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23902", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:33:34.025Z", "dateReserved": "2026-01-18T04:07:20.514Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-24T10:56:18.289Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD2DFC41-4AAE-4940-A40C-94421F0024DC", "versionEndExcluding": "3.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.1.\u00a0\n\nUsers are recommended to upgrade to version 3.4.1, which fixes this issue."}], "id": "CVE-2026-23902", "lastModified": "2026-04-27T13:42:29.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-24T12:17:06.453", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/24/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache DolphinScheduler", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "dolphinscheduler", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-28T06:54:27.489484+00:00", "value": {"mitigation_remediation": ["Upgrade Apache DolphinScheduler to version 3.4.1 or later, where correct tenant validation has been implemented. ", "Restrict system login permissions to the fewest accounts necessary and enforce the principle of least privilege across the platform. ", "Configure or audit the workflow submission process to reject or flag any reference to undefined tenants before execution."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Tenant Access"}, "threat_synthesis": {"affected_systems": "The issue affects all Apache DolphinScheduler installations running any version earlier than 3.4.1, regardless of the operating environment. Users who have system login rights, whether on production or testing systems, are exposed when they choose an undefined tenant during workflow submission. No additional platform components or external services are mentioned as part of the scope.", "description_and_impact": "Apache DolphinScheduler suffers an Incorrect Authorization flaw that lets authenticated users with system login permissions trigger workflows using tenants that have not been defined on the platform. Because the platform fails to validate the existence of the tenant, attackers can potentially access data or resources belonging to those tenants, effectively elevating privileges and bypassing normal access controls. The weakness is classified as CWE-863, reflecting an authorization failure where more resources are granted than intended.", "risk_and_exploitability": "The CVSS v3.1 score of 8.1 marks this flaw as high severity, indicating that an exploited instance could lead to significant compromise. The EPSS score is less than 1%, suggesting a low probability of real\u2011world exploitation currently, yet the absence from the CISA KEV catalog does not negate the risk. The attack requires an authenticated session; the attacker must first log in with system\u2011level permissions and then select an arbitrary tenant in the workflow interface. Based on the description, the likely attack vector is an authenticated user manipulating the tenant field during workflow execution; no external network exploit is required."}}}}, "created": "2026-04-27T19:15:11.631256+00:00", "updated": "2026-04-28T07:00:09.531742+00:00", "vendors": ["apache", "apache$PRODUCT$dolphinscheduler"]}