[Verse 1] Apache DolphinScheduler, orchestrating your flows Someone left the v-two door unlocked where nobody goes CVE-2026-32967, score nine point one The experimental interface lets the wrong hands get it done No authorization check where the gateway swings wide Before version three point four point two, attackers slip inside Upgrade your scheduler or the workflow turns to dust Every pipeline you are running handed over on trust [Chorus] Critical scores, nine point one, nine point eight These aren't warnings you can shelve until a later date Apache, ibaPDA, APISIX in the line Patch the cracks before the infiltrators find the sign Four CVEs burning through the twenty-sixth of June Miss the update window and the breach arrives too soon [Verse 2] DefaultLdapRealm constructs a name from what you type A remote attacker drops a special character ripe CVE-2026-49268, LDAP injection raw Stitching your username straight into the query's jaw Distinguished Name pollution, the authentication warps The directory folds open and the boundary just absorbs Nine point one on the scoreboard, your user store at stake One malformed credential is all the exploit takes [Chorus] Critical scores, nine point one, nine point eight These aren't warnings you can shelve until a later date Apache, ibaPDA, APISIX in the line Patch the cracks before the infiltrators find the sign Four CVEs burning through the twenty-sixth of June Miss the update window and the breach arrives too soon [Bridge] And then there's ibaPDA, the industrial eye CVE-2026-8024, scoring nearly maxed out high Nine point eight, unauthenticated, no credential required Deserialization swallows poison data, system acquired ibaDatCoordinator too, full access handed clean The highest severity alarm that June has ever seen No login, no handshake, just a payload in the stream And the factory floor becomes the attacker's private scheme [Verse 3] Apache APISIX running jwt-auth in a specific way CVE-2026-39999 spoofs the gateway today Authentication bypass where the token check goes blind Nine point one on the meter and the wall stays left behind Certain configurations let the counterfeit walk through The attacker impersonates whatever user they construe Four vulnerabilities stitched across the Apache seam Verify your versions before the audit finds the gap in your regime [Outro] Thirty-second of June twenty-six, four threats in play DolphinScheduler, LDAP, ibaPDA, APISIX today Check your versions, harden configs, close the open gate CVEs don't wait for maintenance — neither should your update
← Critical CVEs (2 of 3) — June 24, 2026 | IT Security News — June 24, 2026 →