Skip to main content

Apache DolphinScheduler CVE-2026-32966

| EUVD-2026-37580 CRITICAL
2026-06-17
Apache Information Disclosure
Share

Severity by source

vuln.today AI
6.5 MEDIUM

Network API, no complexity; PR:L because authentication is required; C:H for sensitive infrastructure metadata; no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Patch available
Jun 17, 2026 - 11:01 EUVD
Analysis Generated
Jun 17, 2026 - 02:21 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Missing authorization check in the Apache DolphinScheduler DataSource API exposes arbitrary data source metadata to users who lack permission to view it, affecting all versions before 3.4.2. Authenticated users with low-privilege access can query the DataSource API and retrieve connection metadata - such as hostnames, ports, database names, and usernames - belonging to data sources they are not authorized to access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain DolphinScheduler user credentials
Delivery
Authenticate to DolphinScheduler API
Exploit
Enumerate data source IDs via DataSource API
Execution
Request metadata for unauthorized data sources
Impact
Harvest infrastructure details (hostnames, ports, usernames)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated session on the Apache DolphinScheduler platform - an attacker must hold a valid user account (any privilege level) on the target instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The Apache project rates this moderate, which is consistent with a network-accessible, low-complexity missing authorization flaw that yields confidentiality impact only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated DolphinScheduler user with a low-privilege tenant account sends unapproved API requests to the DataSource metadata endpoint, specifying data source IDs belonging to other tenants or admin-owned sources. Because the authorization check is absent, the server returns full metadata - hostnames, ports, schema names, and usernames - for those sources without verifying ownership. …
Remediation Upgrade Apache DolphinScheduler to version 3.4.2, which contains the authorization fix per the Apache project's own recommendation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Apache DolphinScheduler instances and identify current versions; determine which systems have versions before 3.4.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-32966 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy