Skip to main content

Apache DolphinScheduler CVE-2026-32967

| EUVD-2026-37583 CRITICAL
2026-06-17
Apache Information Disclosure
Share

Severity by source

vuln.today AI
7.1 HIGH

Network-accessible API requiring authenticated low-privilege account (PR:L); authorization bypass enables high-integrity impact via unauthorized write operations; confidentiality impact assessed as low since read operations may also be exposed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Patch available
Jun 17, 2026 - 11:01 EUVD
Analysis Generated
Jun 17, 2026 - 02:20 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Incorrect Authorization in Apache DolphinScheduler's experimental /v2 API interface permits authenticated users to invoke privileged operations without undergoing permission validation. All releases of the dolphinscheduler-api module prior to 3.4.2 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege DolphinScheduler credentials
Delivery
Enumerate /v2 API endpoint paths
Exploit
Send privileged API request to /v2 route
Execution
Authorization check bypassed by missing interceptor
Persist
Execute unauthorized administrative operation
Impact
Access or modify sensitive workflow or datasource data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session on the Apache DolphinScheduler platform - an attacker must possess at least a low-privilege account credential. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector, EPSS score, or KEV listing was provided for this CVE, limiting quantitative risk comparison. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a low-privilege DolphinScheduler account (e.g., a data analyst with read-only permissions) discovers the undocumented `/v2` experimental API through source code review or endpoint enumeration. By directing standard administrative API calls - such as creating tenants, modifying datasource credentials, or altering workflow execution configurations - to the `/v2` path instead of `/v1`, the attacker bypasses the RBAC checks and successfully performs privileged operations. …
Remediation The primary remediation is to upgrade to Apache DolphinScheduler version 3.4.2, which introduces proper authorization checks on the `/v2` API interface per the vendor's own recommendation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running DolphinScheduler API prior to version 3.4.2; implement network-level access restrictions to the /v2 endpoint limited to trusted administrators; review API access logs for suspicious /v2 activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-32967 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy