Apache DolphinScheduler prior to 3.0.0 allows path traversal
Description
When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler prior to 3.0.0 has a path traversal vulnerability in the resource center when adding resources with a relation path, exploitable by authenticated users.
Vulnerability
Description CVE-2022-34662 is a path traversal vulnerability in Apache DolphinScheduler versions prior to 3.0.0. The root cause is insufficient validation of the relation path parameter when users add resources to the resource center, allowing directory traversal attacks [1][3].
Exploitation
Conditions The vulnerability is exploitable only by authenticated users, meaning an attacker must have valid login credentials to the DolphinScheduler web interface. No special privileges beyond being logged in are required; the attacker can craft a malicious relation path when adding a resource to traverse directories outside the intended scope [1][3].
Impact
Successful exploitation could allow an attacker to read or write files outside the designated resource directory, potentially leading to unauthorized access to sensitive configuration files, data, or other system resources. The exact impact depends on the file system permissions and the context of the DolphinScheduler installation [1][3].
Mitigation
The vulnerability is fixed in Apache DolphinScheduler version 3.0.0 and later. Users are strongly advised to upgrade to the latest version. No official workaround is documented, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | < 3.0.0 | 3.0.0 |
Affected products
2- Apache Software Foundation/Apache DolphinSchedulerv5Range: Apache DolphinScheduler
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-fp35-xrrr-3gphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34662ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/11/01/13ghsamailing-listWEB
- lists.apache.org/thread/pbdzqf9ntxyvs4cr0x2dgk9zlf43btz8ghsaWEB
News mentions
0No linked articles in our index yet.