Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-43166

CVE-2024-43166: Apache DolphinScheduler Privilege Escalation

CVE-2024-43166 is a privilege escalation vulnerability in Apache DolphinScheduler caused by incorrect default permissions. This flaw affects versions before 3.2.2. This post covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-43166 Overview

CVE-2024-43166 is an Incorrect Default Permissions vulnerability [CWE-276] in Apache DolphinScheduler, a distributed workflow scheduling platform. The flaw affects all versions of Apache DolphinScheduler prior to 3.2.2. Insecure default permissions allow remote, unauthenticated network attackers to compromise the confidentiality, integrity, and availability of affected deployments. The Apache Software Foundation recommends upgrading directly to version 3.3.1, which contains the corrective changes.

Critical Impact

Remote attackers can exploit insecure default permissions over the network without authentication or user interaction, leading to full compromise of the DolphinScheduler instance.

Affected Products

  • Apache DolphinScheduler versions prior to 3.2.2
  • Apache DolphinScheduler deployments using default permission configurations
  • Workflow scheduling environments exposing the DolphinScheduler interface to untrusted networks

Discovery Timeline

  • 2025-09-03 - CVE-2024-43166 published to the National Vulnerability Database (NVD)
  • 2025-11-04 - Last updated in the NVD database

Technical Details for CVE-2024-43166

Vulnerability Analysis

Apache DolphinScheduler ships with permission defaults that fail to restrict access to sensitive functionality. An attacker reaching the service over the network can interact with resources that should be limited to privileged users. Because no authentication, privileges, or user interaction are required, exploitation is straightforward against exposed instances. Successful exploitation impacts confidentiality, integrity, and availability of the workflow scheduler and any data it orchestrates.

Root Cause

The root cause is classified as Incorrect Default Permissions [CWE-276]. DolphinScheduler assigns permissions on installed resources or operations that are broader than required for normal operation. This permissive baseline exposes administrative or sensitive functions to callers that should not possess them. The maintainers addressed the issue beginning in version 3.2.2 and continued hardening through version 3.3.1.

Attack Vector

The attack vector is network-based with low attack complexity. An attacker submits requests to a reachable DolphinScheduler endpoint without supplying credentials. Because the default permission model grants access to protected functionality, the attacker can manipulate workflows, jobs, or scheduler resources. The same path provides leverage to alter data, exfiltrate scheduling artifacts, or disrupt automated pipelines that DolphinScheduler controls.

No public proof-of-concept exploit has been published at this time. Refer to the Apache Security Announcement and the Openwall OSS-Security Discussion for vendor-provided technical context.

Detection Methods for CVE-2024-43166

Indicators of Compromise

  • Unexpected workflow definitions, task instances, or scheduled jobs created outside of normal change windows.
  • Authentication or access logs showing privileged actions executed by anonymous or low-privilege identities.
  • Outbound connections from DolphinScheduler worker nodes to unfamiliar destinations following job executions.

Detection Strategies

  • Inventory all Apache DolphinScheduler instances and confirm the running version against 3.2.2 and 3.3.1 baselines.
  • Audit DolphinScheduler permission assignments and compare against least-privilege expectations for each role.
  • Review API and UI access logs for unauthenticated calls reaching administrative or workflow management endpoints.

Monitoring Recommendations

  • Enable verbose access logging on DolphinScheduler master and API services and forward events to a centralized SIEM.
  • Alert on new user accounts, role changes, or workflow creations originating from non-corporate source addresses.
  • Monitor worker process execution for unexpected commands or shell activity spawned by scheduled tasks.

How to Mitigate CVE-2024-43166

Immediate Actions Required

  • Upgrade Apache DolphinScheduler to version 3.3.1 as recommended by the Apache Software Foundation.
  • Restrict network exposure of DolphinScheduler API, master, and UI ports to trusted management networks only.
  • Review and tighten role and permission assignments inside DolphinScheduler after upgrading.

Patch Information

Apache has fixed the vulnerability beginning in version 3.2.2, and users are recommended to upgrade to version 3.3.1, which contains the complete fix. Patch and release information is available in the Apache Security Announcement and the Openwall OSS-Security Discussion.

Workarounds

  • Place DolphinScheduler behind an authenticating reverse proxy or VPN to block unauthenticated network access until patching completes.
  • Apply network segmentation and firewall rules so only authorized administrators can reach scheduler endpoints.
  • Disable or remove unused DolphinScheduler accounts and revoke broad default permissions where the deployment allows.
bash
# Example: restrict DolphinScheduler API exposure with iptables until upgrade to 3.3.1
iptables -A INPUT -p tcp --dport 12345 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 12345 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne