Primary

Context

Apache DolphinScheduler Deserialization of Untrusted Data Vulnerability in RPC Module

Vulnerability

Patched

A deserialization vulnerability allowing the injection of malicious class types has been identified in the RPC module of Apache DolphinScheduler. This issue affects versions 3.2.0 prior to 3.3.1. Attackers with access to Master or Worker nodes can exploit this vulnerability by creating a StandardRpcRequest, injecting a harmful class type, and sending the modified RPC requests to the affected nodes.

Impact

Exploitation of this vulnerability could lead to remote code execution on the Master or Worker nodes.

Remediation

Users are advised to upgrade to Apache DolphinScheduler version 3.3.1, which addresses this vulnerability.

Added: Apr 24, 2026, 11:26 AM

Updated: Apr 24, 2026, 11:26 AM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

6.0

remediation

7.7

relevance

6.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

6.0

remediation

7.7

relevance

6.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache DolphinScheduler Deserialization of Untrusted Data Vulnerability in RPC Module

Vulnerability

Impact

Remediation

Affected Products

Apache DolphinScheduler

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating