A high-severity authorization vulnerability in Apache DolphinScheduler allows authenticated users to bypass tenant restrictions during workflow operations.

This is an incorrect authorization vulnerability where authenticated users with system login permissions can access or utilize tenants that are not properly defined or assigned to them within the platform during workflow execution.

This flaw allows for unauthorized lateral access across different organizational tenants, potentially exposing sensitive workflow data to users who should not have access. With a CVSS score of 8.1, this represents a significant risk to data privacy and multi-tenant isolation within the DolphinScheduler environment.

Immediate Action: Update Apache DolphinScheduler to the latest version that includes the fix for tenant authorization controls.

Proactive Monitoring: Audit workflow execution logs to identify any unauthorized access attempts to restricted tenant resources.

Compensating Controls: Review and restrict user permissions to ensure that only authorized users can initiate workflow processes.

Public Exploit Available: false

Organizations relying on DolphinScheduler for multi-tenant data workflows must prioritize this update. Immediate patching is necessary to restore proper tenant isolation and prevent unauthorized access to sensitive workflow information.