Apache DolphinScheduler

Apache DolphinScheduler Incorrect Default Permissions (<=3.2.2)
CVE-2024-43166 9.8 - Critical - September 03, 2025

Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.

Incorrect Default Permissions

Apache DolphinScheduler 3.2.2 IMP Input Validation: Auth User RCE via Shell Script
CVE-2024-43115 8.8 - High - September 03, 2025

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.

Improper Input Validation

Apache DolphinScheduler RCE before 3.2.2
CVE-2024-43202 9.8 - Critical - August 20, 2024

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.

Code Injection

Apache DolphinScheduler XSS/Remote Code Exec via Switch Task Plugin upgrade 3.2.2
CVE-2024-29831 8.8 - High - August 12, 2024

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.

Improper Input Validation

Apache DolphinScheduler 3.1.x File Read/Write Vulnerability (AUTH) before 3.2.2
CVE-2024-30188 8.1 - High - August 12, 2024

File read and write vulnerability in Apache DolphinScheduler ,  authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue.

Improper Input Validation

Apache DolphinScheduler 3.2.1 Unrestricted JS Exec via Improper Input Validation
CVE-2024-23320 - February 23, 2024

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it. This issue affects Apache DolphinScheduler: until 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue.

Improper Input Validation

Apache DolphinScheduler RCE <3.2.1 Remote Exec Vulnerability
CVE-2023-49109 - February 20, 2024

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

Code Injection

Apache DolphinScheduler <3.2.0 Session Fixation (Session Persists)
CVE-2023-50270 - February 20, 2024

Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

Apache DolphinScheduler Pre-3.2.1 Arbitrary File Read CVE-2023-51770
CVE-2023-51770 7.5 - High - February 20, 2024

Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

Code Injection

Apache DolphinScheduler <=3.1: HttpUtils SSL Cert Bypass (CVE-2023-49250)
CVE-2023-49250 - February 20, 2024

Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affects Apache DolphinScheduler: before 3.2.0. Users are recommended to upgrade to version 3.2.1, which fixes the issue.

Improper Certificate Validation

Apache DolphinScheduler <3.1.9 Improper Input Unrestricted JS Exec
CVE-2023-49299 8.8 - High - December 30, 2023

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server.This issue affects Apache DolphinScheduler: until 3.1.9. Users are recommended to upgrade to version 3.1.9, which fixes the issue.

Improper Input Validation

DolphinScheduler UDF Delete IDOR before v3.1.0
CVE-2023-49620 6.5 - Medium - November 30, 2023

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability

AuthZ

Apache DolphinScheduler 3.2.1 Sensitive Info Exposure to Unauthorized Users
CVE-2023-49068 7.5 - High - November 27, 2023

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue. At the time of disclosure of this advisory, this version has not yet been released. In the mean time, we recommend you make sure the logs are only available to trusted operators.

Apache DolphinScheduler 3.0.0-3.0.1 Sensitive Data Exposed via Mgmt Endpoints
CVE-2023-48796 7.5 - High - November 24, 2023

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management:   endpoints:     web:       exposure:         include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.

On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered
CVE-2023-25601 4.3 - Medium - April 20, 2023

On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above.

authentification

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability
CVE-2022-45875 9.8 - Critical - January 04, 2023

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by authenticated users which can login to DS.

Improper Input Validation

When using tasks to read config files, there is a risk of database password disclosure
CVE-2022-26885 7.5 - High - November 24, 2022

When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher.

Alarm instance management has command injection when there is a specific command configured
CVE-2022-45462 9.8 - Critical - November 23, 2022

Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

Command Injection

When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users
CVE-2022-34662 6.5 - Medium - November 01, 2022

When users add resources to the resource center with a relation path will cause path traversal issues and only for logged-in users. You could upgrade to version 3.0.0 or higher

Directory traversal

Users can read any files by log server
CVE-2022-26884 6.5 - Medium - October 28, 2022

Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.

Directory traversal

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks
CVE-2022-25598 7.5 - High - March 30, 2022

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

ReDoS

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center
CVE-2021-27644 8.8 - High - November 01, 2021

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

SQL Injection

Versions of Apache DolphinScheduler prior to 1.3.2
CVE-2020-13922 6.5 - Medium - January 11, 2021

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.

Incorrect Default Permissions

In DolphinScheduler 1.2.0 and 1.2.1
CVE-2020-11974 9.8 - Critical - December 18, 2020

In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.