CVE-2026-41280: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

June 17, 2026 (updated June 18, 2026)

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue.

References

github.com/advisories/GHSA-wh3w-v6gj-fqh2
lists.apache.org/thread/5bv1njp3lbbbj11y20td5yz1b4nmrtvw
nvd.nist.gov/vuln/detail/CVE-2026-41280

Code Behaviors & Features

Detect and mitigate CVE-2026-41280 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →