CVE-2026-41280 Overview
CVE-2026-41280 is an incorrect authorization vulnerability in Apache DolphinScheduler, an open-source distributed workflow scheduling platform. The flaw allows authenticated users with system login privileges to delete task definitions in projects they do not own. The issue affects all Apache DolphinScheduler versions prior to 3.4.2 and is tracked under CWE-863: Incorrect Authorization.
The vulnerability is exploitable over the network by any authenticated user, requiring no user interaction. Successful exploitation results in unauthorized deletion of task definitions, breaking workflow integrity across tenant boundaries.
Critical Impact
Authenticated users can delete task definitions in unauthorized projects, disrupting scheduled workflows and corrupting multi-tenant data orchestration pipelines.
Affected Products
- Apache DolphinScheduler versions prior to 3.4.2
- Apache DolphinScheduler multi-tenant deployments
- Apache DolphinScheduler workflow scheduling platform
Discovery Timeline
- 2026-06-17 - CVE-2026-41280 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-41280
Vulnerability Analysis
The vulnerability resides in Apache DolphinScheduler's task definition management endpoints. The application authenticates users at login but fails to enforce project-level authorization checks when processing delete requests for task definitions. An authenticated user can target task definition identifiers belonging to projects they have no membership or role in.
DolphinScheduler enforces project isolation as the primary access control boundary for workflow assets. When this boundary is bypassed, tenants in shared deployments lose the integrity guarantees they rely on. The deletion action is destructive and not reversible through the API.
The issue is categorized under CWE-863: Incorrect Authorization. The EPSS probability is 0.605% with a percentile of 44.26 as of 2026-06-18.
Root Cause
The delete task definition handler validates that the requestor holds a valid session but omits the check that confirms the requestor has permission on the parent project. The authorization decision relies on the existence of a session token rather than on project role membership. This pattern violates the principle that authorization must be enforced on every privileged action, not only at the session boundary.
Attack Vector
An attacker needs valid system login credentials, which any tenant user possesses. The attacker enumerates or guesses task definition identifiers and submits a delete request to the task definition API endpoint. The server processes the delete without verifying that the target task belongs to a project the user can administer.
The vulnerability manifests in the task definition delete API handler. See the Apache Security Announcement and the OpenWall OSS Security Discussion for technical details from the maintainers.
Detection Methods for CVE-2026-41280
Indicators of Compromise
- Unexpected DELETE operations against /dolphinscheduler/projects/*/task-definition/* endpoints from low-privilege user accounts
- Audit log entries showing task definition deletions performed by users not assigned to the target project
- Missing task definitions or broken workflow DAGs reported by project owners with no corresponding administrative action
Detection Strategies
- Review DolphinScheduler audit logs for delete events and cross-reference the acting user against project membership tables
- Alert on any task definition delete API call where the requesting user role does not include the target project
- Monitor for sequential delete requests against incrementing task definition identifiers, which indicates enumeration
Monitoring Recommendations
- Forward DolphinScheduler API access logs and database audit logs to a centralized SIEM for correlation
- Track baselines for task definition delete volume per user and alert on deviations
- Capture full request bodies for delete operations to retain forensic evidence of unauthorized identifiers
How to Mitigate CVE-2026-41280
Immediate Actions Required
- Upgrade Apache DolphinScheduler to version 3.4.2 or later, which contains the authorization fix
- Audit existing task definitions for unauthorized deletions since the deployment of any vulnerable version
- Restrict system login privileges to trusted users until the upgrade is complete
Patch Information
Apache has released Apache DolphinScheduler 3.4.2 to remediate CVE-2026-41280. The patch enforces project-level authorization on the task definition delete handler. Refer to the Apache Security Announcement for the official upgrade guidance.
Workarounds
- Limit account creation and disable inactive system login accounts to reduce the attacker population
- Place the DolphinScheduler API behind a reverse proxy that enforces additional authorization on delete methods
- Take regular backups of task definitions and project metadata to enable rapid recovery from unauthorized deletion
# Upgrade Apache DolphinScheduler to the patched release
wget https://downloads.apache.org/dolphinscheduler/3.4.2/apache-dolphinscheduler-3.4.2-bin.tar.gz
tar -xzf apache-dolphinscheduler-3.4.2-bin.tar.gz
cd apache-dolphinscheduler-3.4.2-bin
./bin/dolphinscheduler-daemon.sh stop all
./bin/install.sh
./bin/dolphinscheduler-daemon.sh start all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
