CVE-2024-43166 Overview
CVE-2024-43166 is an Incorrect Default Permissions vulnerability [CWE-276] in Apache DolphinScheduler, a distributed workflow scheduling platform. The flaw affects all versions of Apache DolphinScheduler prior to 3.2.2. Insecure default permissions allow remote, unauthenticated network attackers to compromise the confidentiality, integrity, and availability of affected deployments. The Apache Software Foundation recommends upgrading directly to version 3.3.1, which contains the corrective changes.
Critical Impact
Remote attackers can exploit insecure default permissions over the network without authentication or user interaction, leading to full compromise of the DolphinScheduler instance.
Affected Products
- Apache DolphinScheduler versions prior to 3.2.2
- Apache DolphinScheduler deployments using default permission configurations
- Workflow scheduling environments exposing the DolphinScheduler interface to untrusted networks
Discovery Timeline
- 2025-09-03 - CVE-2024-43166 published to the National Vulnerability Database (NVD)
- 2025-11-04 - Last updated in the NVD database
Technical Details for CVE-2024-43166
Vulnerability Analysis
Apache DolphinScheduler ships with permission defaults that fail to restrict access to sensitive functionality. An attacker reaching the service over the network can interact with resources that should be limited to privileged users. Because no authentication, privileges, or user interaction are required, exploitation is straightforward against exposed instances. Successful exploitation impacts confidentiality, integrity, and availability of the workflow scheduler and any data it orchestrates.
Root Cause
The root cause is classified as Incorrect Default Permissions [CWE-276]. DolphinScheduler assigns permissions on installed resources or operations that are broader than required for normal operation. This permissive baseline exposes administrative or sensitive functions to callers that should not possess them. The maintainers addressed the issue beginning in version 3.2.2 and continued hardening through version 3.3.1.
Attack Vector
The attack vector is network-based with low attack complexity. An attacker submits requests to a reachable DolphinScheduler endpoint without supplying credentials. Because the default permission model grants access to protected functionality, the attacker can manipulate workflows, jobs, or scheduler resources. The same path provides leverage to alter data, exfiltrate scheduling artifacts, or disrupt automated pipelines that DolphinScheduler controls.
No public proof-of-concept exploit has been published at this time. Refer to the Apache Security Announcement and the Openwall OSS-Security Discussion for vendor-provided technical context.
Detection Methods for CVE-2024-43166
Indicators of Compromise
- Unexpected workflow definitions, task instances, or scheduled jobs created outside of normal change windows.
- Authentication or access logs showing privileged actions executed by anonymous or low-privilege identities.
- Outbound connections from DolphinScheduler worker nodes to unfamiliar destinations following job executions.
Detection Strategies
- Inventory all Apache DolphinScheduler instances and confirm the running version against 3.2.2 and 3.3.1 baselines.
- Audit DolphinScheduler permission assignments and compare against least-privilege expectations for each role.
- Review API and UI access logs for unauthenticated calls reaching administrative or workflow management endpoints.
Monitoring Recommendations
- Enable verbose access logging on DolphinScheduler master and API services and forward events to a centralized SIEM.
- Alert on new user accounts, role changes, or workflow creations originating from non-corporate source addresses.
- Monitor worker process execution for unexpected commands or shell activity spawned by scheduled tasks.
How to Mitigate CVE-2024-43166
Immediate Actions Required
- Upgrade Apache DolphinScheduler to version 3.3.1 as recommended by the Apache Software Foundation.
- Restrict network exposure of DolphinScheduler API, master, and UI ports to trusted management networks only.
- Review and tighten role and permission assignments inside DolphinScheduler after upgrading.
Patch Information
Apache has fixed the vulnerability beginning in version 3.2.2, and users are recommended to upgrade to version 3.3.1, which contains the complete fix. Patch and release information is available in the Apache Security Announcement and the Openwall OSS-Security Discussion.
Workarounds
- Place DolphinScheduler behind an authenticating reverse proxy or VPN to block unauthenticated network access until patching completes.
- Apply network segmentation and firewall rules so only authorized administrators can reach scheduler endpoints.
- Disable or remove unused DolphinScheduler accounts and revoke broad default permissions where the deployment allows.
# Example: restrict DolphinScheduler API exposure with iptables until upgrade to 3.3.1
iptables -A INPUT -p tcp --dport 12345 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 12345 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
