Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32966

CVE-2026-32966: Apache DolphinScheduler Disclosure Flaw

CVE-2026-32966 is an information disclosure vulnerability in Apache DolphinScheduler caused by missing authorization checks in the DataSource API. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-32966 Overview

CVE-2026-32966 is a missing authorization vulnerability in Apache DolphinScheduler that affects the DataSource API. The flaw allows unauthenticated network attackers to access arbitrary data source metadata stored within the workflow scheduler. The issue is tracked under CWE-863: Incorrect Authorization and impacts all versions of Apache DolphinScheduler before 3.4.2. The Apache Software Foundation released version 3.4.2 to address the missing authorization check.

Critical Impact

Attackers can retrieve sensitive data source metadata — including database connection details — without authentication, enabling lateral movement into connected backend systems.

Affected Products

  • Apache DolphinScheduler versions prior to 3.4.2
  • Deployments exposing the DataSource API endpoint to untrusted networks
  • Workflow environments integrating external databases via DolphinScheduler data sources

Discovery Timeline

  • 2026-06-17 - CVE CVE-2026-32966 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-32966

Vulnerability Analysis

Apache DolphinScheduler is a distributed workflow orchestration platform used to schedule data pipelines. The DataSource API manages registered database and storage connections that workflow tasks consume at runtime. The vulnerability stems from the absence of an authorization check on endpoints that return data source metadata.

A remote attacker reaches the affected API over the network without credentials and without user interaction. Successful exploitation discloses configured data source records, which may contain hostnames, ports, usernames, database names, and related connection parameters. Attackers can pivot from the exposed metadata into the underlying data stores, undermining the confidentiality, integrity, and availability of connected systems.

Root Cause

The DataSource API endpoint does not validate whether the requesting principal holds permission to read the requested data source records. The handler returns metadata to any caller able to reach the API, bypassing the role-based access control model that governs other DolphinScheduler resources. This is a classic [CWE-863] authorization gap rather than an authentication failure.

Attack Vector

The attack is performed over the network against the DolphinScheduler API service. The attacker sends a crafted HTTP request to the DataSource API without supplying valid session credentials or tokens. The server responds with data source metadata that should require authenticated and authorized access. No social engineering, privileged position, or pre-existing access is required to trigger the issue. Public technical details are limited; refer to the Apache Mailing List Thread and the Openwall OSS Security Discussion for vendor commentary.

Detection Methods for CVE-2026-32966

Indicators of Compromise

  • Unauthenticated HTTP requests to DolphinScheduler DataSource API paths (for example, URIs containing /dolphinscheduler/datasources).
  • API access logs showing successful 200 responses to DataSource endpoints from sessions lacking valid authentication tokens.
  • Outbound connections from hosts that previously enumerated DataSource records, indicating possible pivoting to backend databases.

Detection Strategies

  • Inventory all Apache DolphinScheduler deployments and verify the running version against 3.4.2.
  • Review reverse proxy and application logs for anomalous request volume against DataSource API routes.
  • Correlate DataSource API access events with subsequent authentication attempts on referenced database servers.

Monitoring Recommendations

  • Forward DolphinScheduler API and authentication logs to a centralized SIEM for continuous review.
  • Alert on DataSource API responses returning data to clients without an associated authenticated session ID.
  • Monitor egress traffic from DolphinScheduler hosts and connected databases for unexpected client sources.

How to Mitigate CVE-2026-32966

Immediate Actions Required

  • Upgrade Apache DolphinScheduler to version 3.4.2 or later on all worker, master, and API nodes.
  • Restrict DolphinScheduler API exposure to trusted management networks using firewall and reverse proxy rules.
  • Rotate credentials stored in DolphinScheduler data sources if logs indicate unauthorized DataSource API access.

Patch Information

The Apache DolphinScheduler project addressed the missing authorization check in version 3.4.2. Operators should consult the Apache Mailing List Thread for the official advisory and upgrade guidance. No vendor-supplied configuration toggle replaces the upgrade.

Workarounds

  • Block external network access to the DolphinScheduler API service until the upgrade is complete.
  • Place the API behind an authenticating reverse proxy that enforces session validation on every request.
  • Remove unused data source entries to reduce metadata exposure in the interim.
bash
# Configuration example: restrict DolphinScheduler API to internal management subnet
# Example iptables rule — adjust interfaces and CIDR ranges for your environment
iptables -A INPUT -p tcp --dport 12345 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 12345 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne