Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47340

CVE-2026-47340: Apache DolphinScheduler Auth Bypass Flaw

CVE-2026-47340 is an authorization bypass vulnerability in Apache DolphinScheduler allowing authenticated users to access restricted alert instances. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-47340 Overview

CVE-2026-47340 is an authorization bypass vulnerability in Apache DolphinScheduler affecting all versions before 3.4.2. The flaw allows authenticated users to access alert instances tied to alert groups they have not been granted permission to view. The weakness is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor) and stems from missing authorization checks on alert instance endpoints. Apache has released 3.4.2 to remediate the issue.

Critical Impact

Any authenticated DolphinScheduler user can read alert instance data belonging to alert groups outside their permission scope, exposing potentially sensitive workflow, infrastructure, and notification content.

Affected Products

  • Apache DolphinScheduler versions prior to 3.4.2
  • Deployments exposing the DolphinScheduler API or web UI to authenticated users
  • Multi-tenant DolphinScheduler instances with segregated alert groups

Discovery Timeline

  • 2026-06-17 - CVE-2026-47340 published to NVD
  • 2026-06-17 - Apache Software Foundation advisory posted to the project mailing list
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-47340

Vulnerability Analysis

Apache DolphinScheduler is a distributed workflow orchestration platform. It uses alert groups to route operational notifications about workflow execution to designated users and channels. Each alert instance is intended to be scoped to the alert groups its owner has access to.

The vulnerability is a broken access control flaw. Endpoints that return alert instance data validate that the caller is authenticated but do not verify that the caller has permission on the alert group the instance is associated with. An authenticated low-privilege user can therefore enumerate or retrieve alert instances belonging to other tenants or projects. The information exposed can include alert content, target endpoints, workflow names, error messages, and operational metadata useful for further attacks.

Root Cause

The root cause is a missing authorization check between the authenticated principal and the alert group bound to a requested alert instance. The service layer trusts the authenticated session and returns the requested record without enforcing the alert-group permission model that is applied elsewhere in the application.

Attack Vector

Exploitation requires network access to the DolphinScheduler API and any valid user account. An attacker authenticates, then issues requests to the alert instance endpoints referencing identifiers belonging to other alert groups. The server returns the data without performing a permission lookup. No user interaction or elevated privileges are required beyond a standard authenticated session.

No public proof-of-concept code is referenced in the advisory. The vendor mailing list thread and the Openwall OSS-Security update describe the issue at a behavioral level rather than publishing exploit code.

Detection Methods for CVE-2026-47340

Indicators of Compromise

  • Repeated authenticated requests to alert instance API paths with sequentially incrementing or enumerated identifiers.
  • Access patterns where a single user account retrieves alert instances spanning multiple alert groups it does not own.
  • Unexpected 200 OK responses on alert instance endpoints from accounts that historically only operated within one project.

Detection Strategies

  • Audit DolphinScheduler API access logs and correlate the requesting user against the owner of each returned alert instance.
  • Alert on any user account that reads alert instances tied to alert groups outside its assigned project or tenant.
  • Compare the version reported by the DolphinScheduler API banner against 3.4.2 to identify unpatched instances.

Monitoring Recommendations

  • Forward DolphinScheduler application and access logs to a centralized analytics platform for retention and correlation.
  • Build a baseline of normal alert instance read volume per user and flag deviations.
  • Monitor for newly created or low-tenure accounts that immediately query large numbers of alert instance identifiers.

How to Mitigate CVE-2026-47340

Immediate Actions Required

  • Upgrade all Apache DolphinScheduler deployments to version 3.4.2 or later.
  • Inventory existing user accounts and revoke access for any account that does not require it.
  • Review recent access logs for evidence of cross-group alert instance reads prior to patching.

Patch Information

Apache fixed the missing authorization check in DolphinScheduler 3.4.2. The official remediation guidance is published in the Apache Mailing List Thread and the Openwall OSS-Security Update. Upgrading is the only complete fix.

Workarounds

  • Restrict network exposure of the DolphinScheduler API and UI to trusted administrative networks until the upgrade is complete.
  • Enforce strong authentication and minimize the number of accounts with login access while running an unpatched version.
  • Rotate or sanitize sensitive content embedded in alert templates so that any historical exposure is reduced in value.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne