Remote Code Execution in Apache Dolphinscheduler
Description
Exposure of Remote Code Execution in Apache Dolphinscheduler.
This issue affects Apache DolphinScheduler: before 3.2.1.
We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler before 3.2.1 contains a remote code execution vulnerability. Upgrade to version 3.2.1 to fix it.
Vulnerability
Overview
CVE-2023-49109 is a remote code execution (RCE) vulnerability in Apache DolphinScheduler, affecting versions before 3.2.1 [1][3]. The issue stems from insufficient input validation or improper handling of certain resources, which allows an attacker to execute arbitrary code on the server. The exact root cause appears to be related to a resource quota mechanism that could be manipulated; a related pull request (PR #14991) removes ResourceQuota functionality as part of the fix [4].
Exploitation
To exploit this vulnerability, an attacker likely needs to be an authenticated user with permissions to submit or manage workflows. By crafting a malicious workflow or manipulating resource quota settings, the attacker can inject and execute arbitrary commands on the DolphinScheduler master or worker nodes. The attack surface includes the web UI, API, or Python SDK, which are all used to define task types and dependencies [2].
Impact
Successful exploitation results in full remote code execution on the server, allowing the attacker to compromise the DolphinScheduler instance. This could lead to data exfiltration, service disruption, lateral movement within the network, and further compromise of interconnected systems. The vulnerability is rated as important severity by the Apache project [3].
Mitigation
The vulnerability is fixed in Apache DolphinScheduler version 3.2.1 [1]. Users are strongly advised to upgrade all installations as soon as possible. No workarounds have been officially released; upgrading is the only recommended mitigation. The CVE was publicly disclosed on February 20, 2024 [3].
- NVD - CVE-2023-49109
- GitHub - apache/dolphinscheduler: Apache DolphinScheduler is the modern data orchestration platform. Agile to create high performance workflow with low-code
- security - CVE-2023-49109: Remote Code Execution in Apache Dolphinscheduler
- [Improvement][K8S] Remove ResourceQuota by Gallardot · Pull Request #14991 · apache/dolphinscheduler
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | >= 3.0.0, < 3.2.1 | 3.2.1 |
Affected products
2- Apache Software Foundation/Apache DolphinSchedulerv5Range: 3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/apache/dolphinscheduler/pull/14991ghsapatchWEB
- github.com/advisories/GHSA-qwxx-xww6-8q8mghsaADVISORY
- lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8ghsavendor-advisoryWEB
- lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-49109ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/20/4ghsaWEB
News mentions
0No linked articles in our index yet.