Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN658 _____________________________________________________________________ DATE : 19/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache DolphinScheduler versions prior to 3.4.2. ===================================================================== https://lists.apache.org/thread/b5q1ln370qoysx60f1o4ppj2m0dhsmj9 https://lists.apache.org/thread/dkrcvv8817fq0x6c70m8tzdsx404tz51 https://lists.apache.org/thread/mb61o45rjjvx4h34qcl2jqtyxrq0pzo0 https://lists.apache.org/thread/9lcr2kj8p60h3kvyxqn9284s8ly699mh https://lists.apache.org/thread/ltfvolyddzflf9zgh0g989llzr71r1d4 _____________________________________________________________________ CVE-2026-32966: Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure Severity: moderate Affected versions: - Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2 Description: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. Credit: b0b0haha (603571786@qq.com) (finder) j311yl0v3u (2439839508@qq.com) (finder) References: https://dolphinscheduler.apache.org https://www.cve.org/CVERecord?id=CVE-2026-32966 _____________________________________________________________________ CVE-2026-32967: Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks Severity: moderate Affected versions: - Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2 Description: Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. Credit: b0b0haha (603571786@qq.com) (finder) j311yl0v3u (2439839508@qq.com) (finder) References: https://dolphinscheduler.apache.org https://www.cve.org/CVERecord?id=CVE-2026-32967 _____________________________________________________________________ CVE-2026-42357: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. Severity: moderate Affected versions: - Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.1 Description: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. Credit: Yicheng Yu(https://github.com/FHMTT) (finder) References: https://dolphinscheduler.apache.org https://www.cve.org/CVERecord?id=CVE-2026-42357 _____________________________________________________________________ CVE-2026-47340: Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access. Severity: moderate Affected versions: - Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2 Description: Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. Credit: thesecguy45@gmail.com (finder) udolemi (S2W) (finder) References: https://dolphinscheduler.apache.org https://www.cve.org/CVERecord?id=CVE-2026-47340 _____________________________________________________________________ CVE-2026-49050: Apache DolphinScheduler: General user can mint admin access tokens via /access-tokens Severity: moderate Affected versions: - Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2 Description: General user can mint admin access tokens via /access-tokens This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. Credit: George Chen(https://github.com/geo-chen) (finder) References: https://dolphinscheduler.apache.org https://www.cve.org/CVERecord?id=CVE-2026-49050 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================