CVE-2026-41280

EUVD-2026-37581
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects

This issue affects Apache DolphinScheduler versions prior to 3.4.2. 

Users are recommended to upgrade to version 3.4.2, which fixes this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
apachedolphinscheduler
𝑥
< 3.4.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://lists.apache.org/thread/5bv1njp3lbbbj11y20td5yz1b4nmrtvw
http://www.openwall.com/lists/oss-security/2026/06/17/7