CVE-2026-41280— Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler | < 3.4.2 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41280
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
Source: NVD (National Vulnerability Database)
Vulnerability Description
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler | 0 ~ 3.4.2 | - |
II. Public POCs for CVE-2026-41280
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41280
请登录查看更多情报信息。
Mailing List Discussions for CVE-2026-41280 (1)
Same Patch Batch · Apache Software Foundation · 2026-06-17 · 7 CVEs total
| CVE-2026-49268 | Apache Shiro: LDAP DN Injection in DefaultLdapRealm | |
| CVE-2026-47340 | Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated use | |
| CVE-2026-32967 | Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks | |
| CVE-2026-42357 | Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access work | |
| CVE-2026-32966 | Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Dat | |
| CVE-2026-50203 | Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local f |
IV. Related Vulnerabilities
Same product: Apache DolphinScheduler
- CVE-2026-47340
Apache DolphinScheduler: An incorrect authorization vulnerab - CVE-2026-32967
Apache DolphinScheduler: The `/v2` experimental interface la - CVE-2026-42357
Apache DolphinScheduler: Incorrect Authorization vulnerabili - CVE-2026-32966
Apache DolphinScheduler: DataSource API Missing Authorizatio - CVE-2026-23902
Apache DolphinScheduler: Users are able to use tenants that
Same vendor: Apache Software Foundation
- CVE-2026-49872
Apache APISIX: Improper authentication in cas-auth plugin - CVE-2026-49871
Apache APISIX: cas-auth login CSRF / session injection issue - CVE-2026-47341
Apache APISIX: Session replay issue in hmac-auth - CVE-2026-48895
Apache APISIX: Cas-auth Host header influence on CAS service - CVE-2026-49231
Apache APISIX: Identity spoofing issue in APISIX opa plugin
Same weakness: CWE-863
- CVE-2026-47339
Apache APISIX: authz-casdoor incorrect session sharing - CVE-2026-56075
PraisonAI - Arbitrary Shell Command Execution via Hardcoded - CVE-2026-56074
PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Ca - CVE-2026-10741
Nexus Repository Manager - Incorrect Authorization allows cr - CVE-2026-54803
WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Pr
V. Comments for CVE-2026-41280
No comments yet