CVE-2026-32967

CRITICAL

Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks

Title source: cna
STIX 2.1

Description

Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

References (2)

Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/06/17/3

Scores

CVSS v3 9.1
EPSS 0.0034
EPSS Percentile 25.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (3)
apache/dolphinscheduler < 3.4.2
Apache Software Foundation/Apache DolphinScheduler < 3.4.2
org.apache.dolphinscheduler/dolphinscheduler-api 0 - 3.4.2Maven
Published Jun 17, 2026
Tracked Since Jun 17, 2026