CVE-2026-23902
Published: 24 April 2026
Summary
CVE-2026-23902 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Apache Dolphinscheduler. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations to prevent authenticated users from utilizing undefined tenants during workflow execution.
Requires correct access control decisions for system resources like tenants, addressing the incorrect authorization logic in DolphinScheduler.
Enforces least privilege to restrict users to only authorized tenants, mitigating bypass of tenant authorization checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing workflow scheduler directly enables exploitation of the application (T1190) and facilitates privilege escalation by allowing unauthorized tenant context during execution (T1068).
NVD Description
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution. This issue affects Apache DolphinScheduler versions prior to 3.4.1. Users are recommended to upgrade…
more
to version 3.4.1, which fixes this issue.
Deeper analysisAI
CVE-2026-23902 is an Incorrect Authorization vulnerability (CWE-863) in Apache DolphinScheduler, published on 2026-04-24. It affects all versions prior to 3.4.1 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). The issue enables authenticated users with system login permissions to utilize tenants that are not defined on the platform during workflow execution, bypassing intended authorization controls.
An attacker requires low-privilege authenticated access (PR:L) via the network (AV:N) and can exploit the vulnerability with low complexity (AC:L) and no user interaction (UI:N). Exploitation allows the attacker to execute workflows using unauthorized tenants, resulting in high impacts to confidentiality (C:H) and integrity (I:H) without affecting availability (A:N), potentially granting access to restricted resources or data.
Apache advisories recommend upgrading to version 3.4.1, which resolves the vulnerability. Additional details are available in the Apache mailing list thread at https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9 and the OSS-Security announcement at http://www.openwall.com/lists/oss-security/2026/04/24/1.
Details
- CWE(s)