CVE-2026-41280 Apache Software Foundation CVE debrief

Who should care

System administrators and users of Apache DolphinScheduler versions prior to 3.4.2 should be aware of this vulnerability. Those with system login privileges are at risk of exploiting this issue, potentially leading to unauthorized project changes.

Technical summary

The CVE-2026-41280 vulnerability in Apache DolphinScheduler is caused by incorrect authorization. Users with system login privileges can delete task definitions in projects they are not authorized to access. This issue is addressed in version 3.4.2. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, indicating a high impact on integrity. It is categorized under CWE-863, 'Incorrect Authorization'.

Defensive priority

MEDIUM

Recommended defensive actions

• Upgrade Apache DolphinScheduler to version 3.4.2 or later
• Restrict system login privileges to only necessary users
• Monitor project task definitions for unauthorized changes
• Implement additional authorization checks for task definition deletion
• Review and update access controls for project management
• Consider implementing role-based access control (RBAC) for project management

Evidence notes

The information provided is based on the CVE record and NVD details. The vulnerability affects Apache DolphinScheduler versions prior to 3.4.2. The CVSS score and vector are provided by the NVD. The CWE classification is based on the vendor's advisory.

Official resources