Apache DolphinScheduler: Alert Script Attack
Description
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can execute arbitrary shell scripts via the alert script feature in Apache DolphinScheduler before 3.2.2.
Vulnerability
Overview
CVE-2024-43115 is an Improper Input Validation vulnerability in Apache DolphinScheduler that allows an authenticated user to execute arbitrary shell scripts on the server through the alert script functionality [1][3]. The root cause is insufficient validation of user-supplied input when processing alert scripts, enabling command injection.
Exploitation
An attacker must first authenticate to the DolphinScheduler instance. Once authenticated, they can craft a malicious alert script that bypasses input validation and executes arbitrary shell commands on the server. The attack does not require any special privileges beyond standard user access [3].
Impact
Successful exploitation grants the attacker the ability to execute arbitrary shell commands on the DolphinScheduler server. This could lead to full compromise of the server, including data exfiltration, installation of backdoors, or lateral movement within the network.
Mitigation
The vulnerability affects all versions before 3.2.2. Users are recommended to upgrade to version 3.3.1, which contains the fix [1][3]. No workarounds have been publicly documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | < 3.2.2 | 3.2.2 |
Affected products
2- Range: <3.2.2
- Apache Software Foundation/Apache DolphinSchedulerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3vcp-r62v-xpvgghsaADVISORY
- lists.apache.org/thread/qm36nrsv1vrr2j4o5q2wo75h3686hrnjghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-43115ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/09/03/1ghsaWEB
News mentions
0No linked articles in our index yet.