Apache DolphinScheduler tenant bypass (CVE-2026-23902)

Vendor-confirmed - CVE-2026-23902 is a high-severity authorization bypass in Apache DolphinScheduler versions prior to 3.4.1 that lets authenticated users execute workflows using tenants not defined on the platform. Patched in version 3.4.1 - upgrade immediately.

Overview

CVE-2026-23902 is an Incorrect Authorization vulnerability in Apache DolphinScheduler, a popular open-source workflow orchestration platform. The flaw resides in how the application validates tenant assignments during workflow execution. An attacker who has already obtained system login credentials can craft workflow instances that reference tenants absent from the DolphinScheduler tenant registry.

The core issue is that the access control check does not verify whether a tenant identifier supplied in a workflow definition actually exists in the platform’s database. This allows a low-privileged authenticated user to impersonate arbitrary tenant contexts that were never intended to be available on that DolphinScheduler instance. Since tenant boundaries often govern resource quotas, environment access, and execution nodes, abusing an undefined tenant can lead to privilege escalation and lateral movement within the data-processing infrastructure.

The CVSS v3.1 score is 8.1 (High) with a vector string of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The attack vector is network-based, requires low complexity, low privileges, and no user interaction. The confidentiality and integrity impacts are High; availability is Not affected.

Impact

While the vulnerability does not directly grant remote code execution or full administrative control over the DolphinScheduler server, the practical impact on a production data-engineering pipeline is severe. An attacker can:

• Execute workflows under tenant identities that bypass quota limits and audit trails.
• Access data processing contexts intended for other business units or compliance zones.
• Disrupt the intent of multi-tenant isolation without needing admin credentials.
• Potentially pivot to adjacent systems if the undefined tenant maps to a misconfigured executor environment.

The EPSS score is 0.0% with a probability of exploitation in the next 30 days, meaning there is no current evidence of active exploitation. However, because the vulnerability is trivially exploitable once authenticated and the advisory is public, security teams should treat this with appropriate urgency.

Affected Versions

All Apache DolphinScheduler versions prior to 3.4.1 are affected.

Remediation

The fixed version is Apache DolphinScheduler 3.4.1. Upgrade all instances to this version or later. No workarounds or configuration-level mitigations have been released by the vendor.

If an immediate upgrade is not possible, restrict network access to the DolphinScheduler API and web UI to trusted IP ranges only, and audit existing tenant definitions to ensure no unknown or placeholder entries exist. Monitor workflow execution logs for tenant identifiers that do not match defined tenant records.

References

• Vendor advisory and download link: Apache DolphinScheduler Security
• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalog

Security Insight

This vulnerability class - tenant-bypass in orchestration platforms - is an increasingly common blind spot. Similar flaws have surfaced in Airflow and Prefect, indicating that open-source workflow engines often treat tenant boundaries as a non-critical feature rather than a security control. As data pipelines grow in complexity and regulatory scrutiny, organizations should treat tenant isolation in orchestration tools as an authentication and authorization primitive, not just an organizational convenience.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs