Apache Dolphinscheduler — known CVE vulnerabilities
Every CVE whose affected-product data names Apache Dolphinscheduler, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (32)
CVE-2022-45462 — CVSS 9.8 (critical): Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend…
CVE-2024-43202 — CVSS 9.8 (critical): Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users…
CVE-2024-43166 — CVSS 9.8 (critical): Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are…
CVE-2022-45875 — CVSS 9.8 (critical): Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This…
CVE-2023-49109 — CVSS 9.8 (critical): Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users…
CVE-2026-32966 — CVSS 9.8 (critical): DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue…
CVE-2020-11974 — CVSS 9.8 (critical): In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.
CVE-2026-32967 — CVSS 9.1 (critical): Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache…
CVE-2024-43115 — CVSS 8.8 (high): Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert…
CVE-2023-49299 — CVSS 8.8 (high): Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be…
CVE-2021-27644 — CVSS 8.8 (high): In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to…
CVE-2024-23320 — CVSS 8.8 (high): Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be…
CVE-2024-29831 — CVSS 8.8 (high): Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be…
CVE-2026-23902 — CVSS 8.1 (high): Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants…
CVE-2024-30188 — CVSS 8.1 (high): File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This…
CVE-2022-26885 — CVSS 7.5 (high): When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.
CVE-2022-25598 — CVSS 7.5 (high): Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users…
CVE-2023-48796 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to…
CVE-2023-49068 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache…
CVE-2023-51770 — CVSS 7.5 (high): Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users…
CVE-2025-62188 — CVSS 7.5 (high): An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow…
CVE-2023-49250 — CVSS 7.3 (high): Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https…
CVE-2026-47340 — CVSS 6.5 (medium): Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache…
CVE-2020-13922 — CVSS 6.5 (medium): Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the…
CVE-2022-26884 — CVSS 6.5 (medium): Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
CVE-2022-34662 — CVSS 6.5 (medium): When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You…
CVE-2023-49620 — CVSS 6.5 (medium): Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in…
CVE-2023-50270 — CVSS 6.5 (medium): Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are…
CVE-2026-42357 — CVSS 6.5 (medium): Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have…
CVE-2025-62233 — CVSS 6.3 (medium): Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue affects Apache DolphinScheduler: Version…
CVE-2026-41280 — CVSS 4.9 (medium): Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This…
CVE-2023-25601 — CVSS 4.3 (medium): On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a…