Apache Dolphinscheduler
32 CVEs affecting Apache Dolphinscheduler. Latest disclosed: 2026-06-17. Critical: 8, High: 14.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-32966 | Critical | 9.8 | 2026-06-17 | DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinSch… |
CVE-2024-43166 | Critical | 9.8 | 2025-09-03 | Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to up… |
CVE-2024-43202 | Critical | 9.8 | 2024-08-20 | Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache… |
CVE-2023-49109 | Critical | 9.8 | 2024-02-20 | Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache… |
CVE-2022-45875 | Critical | 9.8 | 2023-01-04 | Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache Do… |
CVE-2022-45462 | Critical | 9.8 | 2022-11-23 | Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to versio… |
CVE-2020-11974 | Critical | 9.8 | 2020-12-18 | In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database. |
CVE-2026-32967 | Critical | 9.1 | 2026-06-17 | Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. U… |
CVE-2024-43115 | High | 8.8 | 2025-09-03 | Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue aff… |
CVE-2024-29831 | High | 8.8 | 2024-08-12 | Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the ser… |
CVE-2024-23320 | High | 8.8 | 2024-02-23 | Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the ser… |
CVE-2023-49299 | High | 8.8 | 2023-12-30 | Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the ser… |
CVE-2021-27644 | High | 8.8 | 2021-11-01 | In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with… |
CVE-2026-23902 | High | 8.1 | 2026-04-24 | Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined o… |
CVE-2024-30188 | High | 8.1 | 2024-08-12 | File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files. This issue affects Apache D… |
CVE-2025-62188 | High | 7.5 | 2026-04-09 | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actor… |
CVE-2023-51770 | High | 7.5 | 2024-02-20 | Arbitrary File Read Vulnerability in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache… |
CVE-2023-49068 | High | 7.5 | 2023-11-27 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. … |
CVE-2023-48796 | High | 7.5 | 2023-11-24 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may includ… |
CVE-2022-26885 | High | 7.5 | 2022-11-24 | When using tasks to read config files, there is a risk of database password disclosure. We recommend you upgrade to version 2.0.6 or higher. |