CVE-2026-42357 Apache Software Foundation CVE debrief

Who should care

Users of Apache DolphinScheduler versions prior to 3.4.2 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 3.4.2 or applying other recommended patches. Security teams and administrators responsible for Apache DolphinScheduler installations should prioritize this vulnerability and take immediate action.

Technical summary

The CVE-2026-42357 vulnerability is caused by incorrect authorization in Apache DolphinScheduler. This allows users to access workflow instance information belonging to projects they do not have permission to access. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a medium severity. The issue affects all versions of Apache DolphinScheduler prior to 3.4.2.

Defensive priority

medium

Recommended defensive actions

• Upgrade to Apache DolphinScheduler version 3.4.2 or later
• Review and update access controls for workflow instance information
• Monitor for suspicious activity related to workflow instance access
• Implement additional logging and auditing for workflow instance access
• Restrict access to workflow instance information based on user roles and permissions

Evidence notes

The information provided is based on the CVE-2026-42357 record from the National Vulnerability Database (NVD) and the Apache Security Team. The vulnerability was published on June 17, 2026, and last modified on the same day. The CVSS score and vector were provided by the NVD.

Official resources