CVE-2026-42357 Overview
CVE-2026-42357 is an Incorrect Authorization vulnerability [CWE-863] in Apache DolphinScheduler. The flaw allows authenticated users to access workflow instance information belonging to projects they do not have permission to view. The issue affects all Apache DolphinScheduler versions prior to 3.4.2. Exploitation requires only low-privileged network access, with no user interaction needed. The Apache Software Foundation released version 3.4.2 to remediate the issue. The vulnerability impacts confidentiality of workflow data across tenant or project boundaries within shared DolphinScheduler deployments.
Critical Impact
Authenticated low-privileged users can read workflow instance details from projects they do not own, breaking project-level access boundaries in multi-tenant Apache DolphinScheduler deployments.
Affected Products
- Apache DolphinScheduler versions prior to 3.4.2
- Apache DolphinScheduler multi-project deployments where access control is enforced at the project level
- Self-hosted DolphinScheduler clusters exposing the REST API to authenticated users
Discovery Timeline
- 2026-06-17 - CVE-2026-42357 published to the National Vulnerability Database
- 2026-06-17 - Apache Software Foundation advisory posted to project mailing lists
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-42357
Vulnerability Analysis
Apache DolphinScheduler is a distributed workflow scheduling platform used to orchestrate data pipelines. The platform organizes tasks under projects, and access control is intended to scope users to projects they explicitly own or are granted access to.
CVE-2026-42357 stems from a broken access control check within API endpoints that return workflow instance information. The endpoint validates that a caller is authenticated but fails to verify that the caller has permission to access the project containing the requested workflow instance. An authenticated user with any valid session can request workflow instance data tied to other projects.
The disclosed data includes workflow names, execution timing, task definitions, and runtime parameters. In environments where workflows process sensitive customer data, financial records, or operational secrets, this exposure undermines tenant isolation.
Root Cause
The root cause is a missing authorization check, classified under [CWE-863] Incorrect Authorization. The affected handler trusts the project identifier supplied in the request without cross-referencing it against the authenticated user's project permission set. Authentication is treated as sufficient, while the project-scoped authorization layer is bypassed.
Attack Vector
Exploitation is remote and requires only a valid low-privileged DolphinScheduler account. An attacker enumerates or guesses workflow instance identifiers and queries the affected API. The server returns workflow data without validating project membership. No special user interaction or elevated privileges are required.
No verified public proof-of-concept code is available. Refer to the Apache Mailing List Discussion and the Openwall OSS Security Update for additional technical context.
Detection Methods for CVE-2026-42357
Indicators of Compromise
- Unusual access patterns in DolphinScheduler API logs where one user account queries workflow instance endpoints across multiple project identifiers.
- Sequential or scripted requests against /dolphinscheduler/projects/*/process-instances style endpoints originating from a single session.
- Authenticated API calls returning HTTP 200 for project identifiers the calling user is not assigned to in the role-based access control configuration.
Detection Strategies
- Correlate authenticated session identifiers with assigned project permissions and flag any workflow instance reads that target unassigned projects.
- Baseline normal per-user API query volume against project endpoints and alert on deviations indicating enumeration behavior.
- Inspect application logs for repeated workflow instance lookups paired with varying projectCode parameters from the same principal.
Monitoring Recommendations
- Forward DolphinScheduler API and audit logs to a centralized analytics platform for cross-project access correlation.
- Monitor for newly created low-privileged accounts followed by elevated read activity against workflow APIs.
- Track HTTP responses on workflow instance endpoints and alert on response payloads exceeding expected size for a given user's project scope.
How to Mitigate CVE-2026-42357
Immediate Actions Required
- Upgrade Apache DolphinScheduler to version 3.4.2 or later, which contains the authorization fix.
- Audit existing user accounts and remove unused or stale credentials that could be abused to query cross-project data.
- Review recent API access logs for indications that workflow instance endpoints were queried with project identifiers outside the caller's permitted scope.
Patch Information
Apache has released DolphinScheduler 3.4.2, which corrects the missing project-level authorization check on workflow instance endpoints. Upgrade instructions and release notes are referenced in the Apache Mailing List Discussion. Operators running clusters with custom forks should backport the corresponding authorization check to their build.
Workarounds
- Restrict network access to the DolphinScheduler API so that only trusted internal users and services can reach authenticated endpoints.
- Reduce the number of accounts with access to the DolphinScheduler instance until the upgrade to 3.4.2 is complete.
- Place a reverse proxy or API gateway in front of DolphinScheduler to enforce additional project-scoped authorization checks based on request parameters.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
