CVE-2026-47340 — Apache DolphinScheduler: An incorrect authorization vulnerability allows authent

Description

Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

How to fix CVE-2026-47340

To remediate CVE-2026-47340, upgrade the affected package to a fixed version below.

—upgrade to 3.4.2 or later

Is CVE-2026-47340 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47340.

Affected packages (1)

from 0, < 3.4.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47340
PATCHgithub.com/apache/dolphinscheduler
WEBlists.apache.org/thread/gx6v1wjb6qg3fzksxomysspy2gw54ooc
WEBwww.openwall.com/lists/oss-security/2026/06/17/5