VYPR
advisoryPublished Jun 17, 2026· Updated Jun 19, 2026· 1 source

Apache: Seven CVEs Across Shiro, DolphinScheduler, and Airflow Disclosed June 17

Key findings • Apache disclosed 7 CVEs across Shiro, DolphinScheduler, and Airflow on June 17, 2026 • Five of the seven are authorization bypass flaws in Apache DolphinScheduler, all fixed in…

Key findings

  • Apache disclosed 7 CVEs across Shiro, DolphinScheduler, and Airflow on June 17, 2026
  • Five of the seven are authorization bypass flaws in Apache DolphinScheduler, all fixed in v3.4.2
  • CVE-2026-49268 is an LDAP DN injection in Shiro's DefaultLdapRealm allowing remote manipulation of directory queries
  • CVE-2026-50203 is a path traversal in Airflow's SFTP provider that lets a malicious server write files outside the destination directory
  • No patch versions were announced for Shiro or the Airflow SFTP provider at disclosure time

On June 17, 2026, the Apache Software Foundation disclosed seven vulnerabilities spanning three of its projects — Apache Shiro, Apache DolphinScheduler, and Apache Airflow — in a single-day security advisory burst. The batch includes an LDAP injection flaw in Shiro, five authorization bypass bugs in DolphinScheduler, and a path traversal issue in the Airflow SFTP provider. While the vulnerabilities affect different products, they share a common theme: insufficient input validation and missing permission checks that could allow attackers to escalate privileges, access unauthorized data, or write files outside intended directories.

**Apache Shiro: LDAP DN Injection**

The most severe single vulnerability in the batch is CVE-2026-49268 (CVSS score not provided, but described as a remote LDAP DN injection). The flaw resides in the DefaultLdapRealm class, where user-supplied username input is directly concatenated into the LDAP Distinguished Name (DN) template without escaping RFC 2253 special characters. An unauthenticated remote attacker can inject LDAP control characters to manipulate the DN structure, potentially bypassing authentication or gaining unauthorized access to directory resources. No patch version was specified for Shiro in the advisory; users should monitor the Shiro project for a fix.

**Apache DolphinScheduler: Five Authorization Bypass Flaws**

The bulk of the batch — five CVEs — targets Apache DolphinScheduler, the popular workflow and task scheduling platform. All five are incorrect authorization vulnerabilities, and all are fixed in version 3.4.2:

  • CVE-2026-47340 allows authenticated users to access alert instances associated with alert groups they lack permission to view.
  • CVE-2026-32967 concerns the /v2 experimental interface, which lacks permission checks entirely, exposing endpoints to unauthorized users.
  • CVE-2026-42357 lets users access workflow instance information belonging to projects they do not have permission to access.
  • CVE-2026-41280 enables users with system login privileges to delete task definitions in unauthorized projects.
  • CVE-2026-32966 is a missing authorization check in the DataSource API that leads to arbitrary data source metadata disclosure.

Taken together, these flaws undermine DolphinScheduler's multi-tenant isolation model. An authenticated attacker with minimal privileges could enumerate workflows, alert configurations, and data source metadata across projects, or even delete task definitions they should not be able to touch. The Apache DolphinScheduler team has addressed all five in the 3.4.2 release; users on earlier versions should upgrade immediately.

Apache Airflow SFTP Provider: Path Traversal

The seventh CVE, CVE-2026-50203, affects the Apache Airflow SFTP provider. A path traversal vulnerability in SFTPHook.retrieve_directory (and SFTPOperator(operation=get)) allows a malicious or compromised remote SFTP server to write files outside the configured local destination directory by crafting directory-entry names with ../ sequences. Notably, no Airflow account is required to trigger the issue — any deployment that connects to an untrusted SFTP server is at risk. The advisory did not specify a patched version; users should check for updates to the apache-airflow-providers-sftp package.

Response and Mitigations

Apache has released fixed versions for DolphinScheduler (3.4.2) and is expected to issue patches for Shiro and the Airflow SFTP provider. For DolphinScheduler, upgrading to 3.4.2 resolves all five CVEs. For Shiro, users should apply input validation or escaping on LDAP DNs as a workaround until a patch is available. Airflow SFTP provider users should restrict connections to trusted SFTP servers and monitor for provider updates.

Why This Batch Matters

While the seven CVEs span three distinct Apache projects, the disclosure signals a broader pattern: Apache's ecosystem continues to struggle with authorization and input-validation bugs in core infrastructure components. DolphinScheduler's five authorization gaps are especially concerning for organizations running multi-tenant deployments, where project isolation is critical. Users of all three projects should prioritize patching DolphinScheduler to 3.4.2 and watch for forthcoming fixes for Shiro and the Airflow SFTP provider.

Synthesized by Vypr AI