Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN424
_____________________________________________________________________

DATE                : 24/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache DolphinScheduler versions
                                prior to 3.4.1.

=====================================================================
https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9
https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0
_____________________________________________________________________

CVE-2026-23902: Apache DolphinScheduler: Users are able to use tenants
that are not defined on the platform during workflow execution.
Severity: moderate 

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.1

Description:

Incorrect Authorization vulnerability in Apache DolphinScheduler allows
authenticated users with system login permissions to use tenants that
are not defined on the platform during workflow execution.

This issue affects Apache DolphinScheduler versions prior to 3.4.1. 

Users are recommended to upgrade to version 3.4.1, which fixes this
issue.

Credit:

Jihang Yu (reporter)

References:

https://dolphinscheduler.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-23902


_____________________________________________________________________

CVE-2025-62233: Apache DolphinScheduler: Deserialization of untrusted
data in RPC
Severity: Moderate 

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-extract-base) 3.2.0 before 3.3.1

Description:

Deserialization of Untrusted Data vulnerability in Apache
DolphinScheduler RPC module.

This issue affects Apache DolphinScheduler: 

Version >= 3.2.0 and < 3.3.1.

Attackers who can access the Master or Worker nodes can compromise the
system by creating a StandardRpcRequest, injecting a malicious class
type into it, and sending RPC requests to the DolphinScheduler
Master/Worker nodes.
Users are recommended to upgrade to version [3.3.1], which fixes the
issue.

Credit:

75Acol, fcgboy, ch0wn, zer0duck (finder)

References:

https://dolphinscheduler.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-62233



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================