CVE-2026-42357 — Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to a

Description

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.

How to fix CVE-2026-42357

To remediate CVE-2026-42357, upgrade the affected package to a fixed version below.

—upgrade to 3.4.2 or later

Is CVE-2026-42357 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-42357.

Affected packages (1)

from 0, < 3.4.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42357
PATCHgithub.com/apache/dolphinscheduler
WEBlists.apache.org/thread/74l2rrz32w2chn7vz64313gk7ox5wjtr
WEBwww.openwall.com/lists/oss-security/2026/06/17/4