CVE-2026-32967 Overview
CVE-2026-32967 is an Incorrect Authorization vulnerability [CWE-863] affecting the /v2 experimental interface in Apache DolphinScheduler. The flaw allows unauthenticated network attackers to bypass authorization controls and interact with API endpoints that should require valid credentials. All versions of Apache DolphinScheduler prior to 3.4.2 are affected. The Apache Software Foundation released version 3.4.2 to remediate the issue.
Critical Impact
An unauthenticated remote attacker can abuse the /v2 experimental API to access restricted functionality, exposing scheduling data and workflow integrity within affected DolphinScheduler deployments.
Affected Products
- Apache DolphinScheduler versions before 3.4.2
- Deployments exposing the /v2 experimental API endpoint
- Self-hosted DolphinScheduler clusters reachable from untrusted networks
Discovery Timeline
- 2026-06-17 - CVE CVE-2026-32967 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-32967
Vulnerability Analysis
Apache DolphinScheduler is a distributed workflow orchestration platform used to schedule complex data pipelines. The product exposes a REST API surface, including an experimental /v2 interface introduced for newer client integrations. CVE-2026-32967 stems from incorrect authorization logic on this /v2 interface, allowing requests to reach protected handlers without the access checks enforced on the stable API.
The Common Weakness Enumeration classification [CWE-863] describes scenarios where authorization decisions are performed using flawed logic. In this case, the experimental interface fails to validate the caller's identity or role consistently with the rest of the application. An attacker can therefore invoke privileged operations through /v2 that would be rejected on equivalent legacy endpoints.
Because DolphinScheduler controls task execution, workflow definitions, and data source credentials, abuse of the API can lead to manipulation of scheduling state and disclosure of pipeline configuration. The vulnerability is reachable over the network without authentication or user interaction.
Root Cause
The root cause is an authorization gap in the request handling chain for the /v2 experimental controllers. Authorization filters applied to the v1 API are not consistently enforced on the v2 routes, leaving guarded operations exposed to unauthenticated callers.
Attack Vector
An attacker sends crafted HTTP requests directly to the /v2 endpoints of an exposed DolphinScheduler instance. No credentials, tokens, or prior user interaction are required. The vulnerability is fully remote and can be exploited against any deployment where the API is reachable from the attacker's network.
No public proof-of-concept code is referenced in the advisory. Technical specifics are described in the Apache List Discussion and the OpenWall OSS Security Update.
Detection Methods for CVE-2026-32967
Indicators of Compromise
- Unauthenticated HTTP requests to URI paths beginning with /dolphinscheduler/v2/ or /v2/ from external sources.
- Workflow, project, or user objects created or modified by accounts that have no recent interactive login activity.
- Unexpected task executions or process definitions appearing in DolphinScheduler audit logs without corresponding UI sessions.
Detection Strategies
- Inspect application and reverse proxy access logs for requests to /v2 endpoints lacking Authorization headers or session cookies.
- Alert on HTTP 200 responses to /v2 administrative routes originating from IP ranges that are not part of the trusted operator network.
- Compare current DolphinScheduler version against 3.4.2 across the asset inventory and flag any instance below that baseline.
Monitoring Recommendations
- Forward DolphinScheduler API and audit logs to a centralized SIEM for correlation against authentication events.
- Baseline normal /v2 traffic during the patching window so deviations from automation-only callers become visible.
- Monitor egress traffic from the DolphinScheduler host for unexpected connections to attacker-controlled infrastructure that could indicate workflow abuse.
How to Mitigate CVE-2026-32967
Immediate Actions Required
- Upgrade Apache DolphinScheduler to version 3.4.2 or later on all master, worker, and API nodes.
- Restrict network exposure of the DolphinScheduler API to trusted management networks using firewall rules or a reverse proxy allowlist.
- Audit recently created users, projects, workflows, and data source entries for unauthorized changes since the API was exposed.
Patch Information
The Apache DolphinScheduler project addresses CVE-2026-32967 in version 3.4.2. Administrators should follow the upgrade procedure documented in the project release notes and validate cluster functionality after the update. Refer to the Apache List Discussion for the official remediation announcement.
Workarounds
- If immediate patching is not feasible, block all external access to /v2 paths at the reverse proxy or load balancer until the upgrade is applied.
- Disable or remove the experimental /v2 interface where deployment configuration permits, restricting clients to the stable API.
- Require mutual TLS or network-layer authentication in front of the DolphinScheduler API to prevent unauthenticated reachability.
# Example NGINX configuration to block external access to the /v2 API
location /dolphinscheduler/v2/ {
allow 10.0.0.0/8; # internal management network
deny all;
proxy_pass http://dolphinscheduler_api;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
