CVE-2026-41280 — Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with

Description

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.

How to fix CVE-2026-41280

To remediate CVE-2026-41280, upgrade the affected package to a fixed version below.

—upgrade to 3.4.2 or later

Is CVE-2026-41280 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-41280.

Affected packages (1)

from 0, < 3.4.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-41280
PATCHgithub.com/apache/dolphinscheduler
WEBlists.apache.org/thread/5bv1njp3lbbbj11y20td5yz1b4nmrtvw
WEBwww.openwall.com/lists/oss-security/2026/06/17/7