Skip to content

CVE-2026-23902 — Apache DolphinScheduler authorization bypass

Apache DolphinScheduler before 3.4.1 allows authenticated users with platform login permissions to use tenants not defined on the platform during workflow execution. This is an authorization flaw with multi-tenant isolation impact.

Affected versions

  • Vulnerable: DolphinScheduler < 3.4.1
  • Fixed: DolphinScheduler >= 3.4.1

Indicator-of-exposure

  • DolphinScheduler version is below 3.4.1.
  • Instance is multi-tenant and users can submit workflow runs.
  • Tenant scoping is relied on for separation of duties or billing/security boundaries.

Remediation strategy

  • Upgrade to 3.4.1 or newer.
  • Revalidate tenant authorization controls after upgrade.
  • Review workflow execution logs for suspicious cross-tenant usage before fix.

The prompt 

You are remediating CVE-2026-23902 in an Apache DolphinScheduler deployment.
Produce either:

1. A PR/change request upgrading DolphinScheduler to 3.4.1+ and adding
   verification steps, or
2. TRIAGE.md if upgrade is blocked.

## Required workflow

1. Identify current DolphinScheduler version from deployment manifests,
   container tags, Helm values, or Maven coordinates.
2. If version is `<3.4.1`, apply minimal upgrade to `3.4.1+`.
3. Add a post-deploy verification checklist:
   - authenticated non-admin user cannot execute workflow with undefined tenant;
   - expected tenant-scoped workflows still function.
4. Include audit task to inspect execution logs in exposure window.
5. Keep changes scoped; do not bundle unrelated upgrades.

## Stop conditions

- Version already fixed.
- Deployment source does not pin DolphinScheduler version.
- Upgrade would require unsupported platform leap.

Verification — what the reviewer looks for

  • Deployment now references 3.4.1+.
  • Verification checklist is concrete and executable.
  • PR body documents any observed tenant-boundary anomalies and next actions.

References