org.apache.dolphinscheduler:dolphinscheduler-api (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.dolphinscheduler:dolphinscheduler-api, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (9)
CVE-2026-32966 — CVSS 9.8 (critical): DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue…
CVE-2026-32967 — CVSS 9.1 (critical): Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache…
CVE-2023-49068 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache…
CVE-2026-47340 — CVSS 6.5 (medium): Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache…
CVE-2023-49620 — CVSS 6.5 (medium): Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in…
CVE-2026-42357 — CVSS 6.5 (medium): Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have…
CVE-2020-13922 — CVSS 6.5 (medium): Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the…
CVE-2026-41280 — CVSS 4.9 (medium): Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This…
CVE-2023-25601 — CVSS 4.3 (medium): On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a…