Maven package
org.apache.dolphinscheduler/dolphinscheduler
pkg:maven/org.apache.dolphinscheduler/dolphinscheduler
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23902 | Hig | 8.1 | < 3.4.1 | 3.4.1 | Apr 24, 2026 | Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution. This issue affects Apache DolphinScheduler versions prior to 3.4.1. Users ar | |
| CVE-2025-62233 | Med | 6.3 | >= 3.2.0, < 3.3.1 | 3.3.1 | Apr 24, 2026 | Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue affects Apache DolphinScheduler: Version >= 3.2.0 and < 3.3.1. Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, inj | |
| CVE-2025-62188 | Hig | 7.5 | >= 3.1.0, < 3.2.0 | 3.2.0 | Apr 9, 2026 | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions | |
| CVE-2024-43166 | — | < 3.3.1 | 3.3.1 | Sep 3, 2025 | Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue. | ||
| CVE-2024-43115 | — | < 3.2.2 | 3.2.2 | Sep 3, 2025 | Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue. | ||
| CVE-2024-30188 | — | >= 3.1.0, < 3.2.2 | 3.2.2 | Aug 9, 2024 | File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue. | ||
| CVE-2024-29831 | — | < 3.2.2 | 3.2.2 | Aug 9, 2024 | Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2. | ||
| CVE-2023-51770 | — | < 3.2.1 | 3.2.1 | Feb 20, 2024 | Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. | ||
| CVE-2023-50270 | — | >= 1.3.8, < 3.2.1 | 3.2.1 | Feb 20, 2024 | Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. | ||
| CVE-2023-49250 | — | < 3.2.1 | 3.2.1 | Feb 20, 2024 | Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to ve | ||
| CVE-2023-49109 | — | >= 3.0.0, < 3.2.1 | 3.2.1 | Feb 20, 2024 | Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. | ||
| CVE-2023-48796 | — | >= 3.0.0, < 3.0.2 | 3.0.2 | Nov 24, 2023 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment var | ||
| CVE-2022-45875 | — | < 3.0.2 | 3.0.2 | Jan 4, 2023 | Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by a | ||
| CVE-2022-34662 | — | < 3.0.0 | 3.0.0 | Nov 1, 2022 | When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher | ||
| CVE-2022-26884 | — | < 2.0.6 | 2.0.6 | Oct 28, 2022 | Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | ||
| CVE-2022-25598 | — | < 2.0.5 | 2.0.5 | Mar 30, 2022 | Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | ||
| CVE-2020-11974 | — | < 1.3.0 | 1.3.0 | Dec 18, 2020 | In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database. |
- affected < 3.4.1fixed 3.4.1
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution. This issue affects Apache DolphinScheduler versions prior to 3.4.1. Users ar
- affected >= 3.2.0, < 3.3.1fixed 3.3.1
Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue affects Apache DolphinScheduler: Version >= 3.2.0 and < 3.3.1. Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, inj
- affected >= 3.1.0, < 3.2.0fixed 3.2.0
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions
- CVE-2024-43166Sep 3, 2025affected < 3.3.1fixed 3.3.1
Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.
- CVE-2024-43115Sep 3, 2025affected < 3.2.2fixed 3.2.2
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.
- CVE-2024-30188Aug 9, 2024affected >= 3.1.0, < 3.2.2fixed 3.2.2
File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue.
- CVE-2024-29831Aug 9, 2024affected < 3.2.2fixed 3.2.2
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.
- CVE-2023-51770Feb 20, 2024affected < 3.2.1fixed 3.2.1
Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
- CVE-2023-50270Feb 20, 2024affected >= 1.3.8, < 3.2.1fixed 3.2.1
Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.
- CVE-2023-49250Feb 20, 2024affected < 3.2.1fixed 3.2.1
Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to ve
- CVE-2023-49109Feb 20, 2024affected >= 3.0.0, < 3.2.1fixed 3.2.1
Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.
- CVE-2023-48796Nov 24, 2023affected >= 3.0.0, < 3.0.2fixed 3.0.2
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment var
- CVE-2022-45875Jan 4, 2023affected < 3.0.2fixed 3.0.2
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by a
- CVE-2022-34662Nov 1, 2022affected < 3.0.0fixed 3.0.0
When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher
- CVE-2022-26884Oct 28, 2022affected < 2.0.6fixed 2.0.6
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
- CVE-2022-25598Mar 30, 2022affected < 2.0.5fixed 2.0.5
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.
- CVE-2020-11974Dec 18, 2020affected < 1.3.0fixed 1.3.0
In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.