CVE-2026-23902: Apache DolphinScheduler has an Incorrect Authorization Vulnerability

April 24, 2026 (updated May 5, 2026)

Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.

This issue affects Apache DolphinScheduler versions prior to 3.4.1.

Users are recommended to upgrade to version 3.4.1, which fixes this issue.

References

github.com/advisories/GHSA-72mv-wwvm-vgp5
github.com/apache/dolphinscheduler
lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9
nvd.nist.gov/vuln/detail/CVE-2026-23902

Code Behaviors & Features

Detect and mitigate CVE-2026-23902 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →