Apache DolphinScheduler: Session do not expire after password change
Description
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change.
Users are recommended to upgrade to version 3.2.1, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler before 3.2.0 suffers from session fixation: a session remains valid after a password change, enabling account takeover.
Vulnerability
CVE-2023-50270 is a session fixation vulnerability in Apache DolphinScheduler versions prior to 3.2.0. The root cause is that the application does not invalidate the user's session after a password change, meaning the old session token remains valid indefinitely [1][3]. This violates the security best practice that a session should be regenerated following sensitive operations like credential rotation.
Exploitation
An attacker can exploit this by first obtaining a valid session token for a target user—potentially via social engineering, network sniffing, or other means. If the user later changes their password (for example, as part of routine maintenance or after a suspected compromise), the attacker's captured session token is still accepted by the server, allowing continued access without knowledge of the new password [3]. No additional authentication is required once the token is obtained.
Impact
A successful attacker gains persistent unauthorized access to the victim's account, with all associated privileges in DolphinScheduler. This could include the ability to view, create, modify, or delete workflows, access data sources, and manage project permissions, depending on the compromised user's role [2]. The confidentiality, integrity, and availability of the orchestration platform may be significantly impacted.
Mitigation
The vulnerability is fixed in Apache DolphinScheduler version 3.2.1 [1][3]. Users running versions 1.3.8 through 3.2.0 should upgrade immediately. No workarounds are documented; upgrading is the recommended action. The issue was reported by lujiefsi [3] and is classified as important severity.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | >= 1.3.8, < 3.2.1 | 3.2.1 |
Affected products
2- Apache Software Foundation/Apache DolphinSchedulerv5Range: 1.3.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/apache/dolphinscheduler/pull/15219ghsapatchWEB
- github.com/advisories/GHSA-vjqc-g788-f378ghsaADVISORY
- lists.apache.org/thread/94prw8hyk60vvw7s6cs3tr708qzqlwl6ghsavendor-advisoryWEB
- lists.apache.org/thread/lmnf21obyos920dnvbfpwq29c1sd2r9rghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-50270ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/20/3ghsaWEB
- www.openwall.com/lists/oss-security/2024/02/20/3ghsaWEB
News mentions
0No linked articles in our index yet.