Apache DolphinScheduler (incubating) Permission vulnerability
Description
In Apache DolphinScheduler before 1.3.2, an ordinary user under any tenant could change other users' passwords via the API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache DolphinScheduler before 1.3.2, an ordinary user under any tenant could change other users' passwords via the API.
Vulnerability
Overview
CVE-2020-13922 affects Apache DolphinScheduler versions prior to 1.3.2. The vulnerability allows an ordinary user, even under any tenant context, to overwrite another user's password through the API interface. This stems from insufficient authorization checks in the password change endpoint, where the system does not properly verify that the requesting user has permission to modify the target user's credentials [1][2].
Exploitation
Mechanism
Exploitation requires only that an attacker has a valid user account on a vulnerable DolphinScheduler instance. No administrative privileges are needed. The attacker can directly invoke the password reset API while specifying a different user ID, thereby changing that user's password without proper authorization. The vulnerability exists because the API lacks a check to ensure the requester is the same user as the target, or is an administrator [4].
Impact
A successful exploit allows an attacker to take over any user account, including administrator accounts, by resetting their passwords. This could lead to full compromise of the DolphinScheduler instance, enabling unauthorized access to workflows, data sources, and sensitive operations such as executing tasks or modifying pipeline logic [1][2].
Mitigation
The issue is fixed in Apache DolphinScheduler version 1.3.2. All users running earlier versions should upgrade immediately. No workaround is provided; upgrading is the only remediation. The fix adds proper permission checks (hasPerm) before allowing password or token modifications [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinscheduler-apiMaven | < 1.3.2 | 1.3.2 |
Affected products
2- Range: Apache DolphinScheduler
Patches
1b8a9e2e00f2fmodify general user can't create,delete,update token (#3538)
1 file changed · +7 −8
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/AccessTokenService.java+7 −8 modified@@ -84,7 +84,9 @@ public Map<String, Object> queryAccessTokenList(User loginUser, String searchVal */ public Map<String, Object> createToken(User loginUser, int userId, String expireTime, String token) { Map<String, Object> result = new HashMap<>(5); - if(check(result, !isAdmin(loginUser), Status.USER_NO_OPERATION_PERM)){ + + if (!hasPerm(loginUser,userId)){ + putMsg(result, Status.USER_NO_OPERATION_PERM); return result; } @@ -140,10 +142,6 @@ public Map<String, Object> generateToken(User loginUser, int userId, String expi public Map<String, Object> delAccessTokenById(User loginUser, int id) { Map<String, Object> result = new HashMap<>(5); - if(check(result, !isAdmin(loginUser), Status.USER_NO_OPERATION_PERM)){ - return result; - } - AccessToken accessToken = accessTokenMapper.selectById(id); if (accessToken == null) { @@ -152,8 +150,7 @@ public Map<String, Object> delAccessTokenById(User loginUser, int id) { return result; } - if (loginUser.getId() != accessToken.getUserId() && - loginUser.getUserType() != UserType.ADMIN_USER) { + if (!hasPerm(loginUser,accessToken.getUserId())){ putMsg(result, Status.USER_NO_OPERATION_PERM); return result; } @@ -176,9 +173,11 @@ public Map<String, Object> delAccessTokenById(User loginUser, int id) { public Map<String, Object> updateToken(User loginUser, int id, int userId, String expireTime, String token) { Map<String, Object> result = new HashMap<>(5); - if(check(result, !isAdmin(loginUser), Status.USER_NO_OPERATION_PERM)){ + if (!hasPerm(loginUser,userId)){ + putMsg(result, Status.USER_NO_OPERATION_PERM); return result; } + AccessToken accessToken = accessTokenMapper.selectById(id); if (accessToken == null) { logger.error("access token not exist, access token id {}", id);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qhh5-9738-g9mxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13922ghsaADVISORY
- github.com/apache/incubator-dolphinscheduler/commit/b8a9e2e00f2f207ae60c913a7173b59405ff95f1ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2021-876.yamlghsaWEB
- www.mail-archive.com/announce%40apache.org/msg06076.htmlghsax_refsource_MISCWEB
- www.mail-archive.com/announce@apache.org/msg06076.htmlghsaWEB
News mentions
0No linked articles in our index yet.