External risk intelligence

Apache DolphinScheduler API Authorization Bypass Disclosure Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-32966

A critical vulnerability exists in Apache DolphinScheduler due to a missing authorization check in its DataSource API. This allows unauthenticated users to disclose sensitive data source metadata, potentially impacting system integrity and confidentiality.

Apache Dolphinscheduler

before 3.4.2

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

Apache DolphinScheduler is a workflow orchestration platform typically deployed in internal, restricted environments. While it functions as a web-based service and may be exposed internally, public internet exposure is not a standard or required deployment pattern, making broad external exploitation less likely despite the network-accessible nature of the vulnerability.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory describes a security vulnerability in Apache DolphinScheduler that could allow unauthorized access to sensitive system information. The issue stems from a missing authorization check in the DataSource API, potentially exposing metadata related to data sources.

Unauthorized access to system data.
Potential for broad impact on data source information.
Confirm relevance and exposure within your environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by accessing the DataSource API without proper authorization. This missing authorization check allows an unauthenticated user to disclose sensitive metadata about data sources, potentially leading to further compromise of the system.

No authentication needed for attack.
Access the DataSource API.
Arbitrary metadata disclosure risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthorized access to arbitrary data source metadata within Apache DolphinScheduler when supported by the advisory's conditions, potentially impacting system integrity and information confidentiality.

Data source metadata may be exposed.
Unauthorized access to metadata could occur.
Compromised system integrity and confidentiality.

Operational Fix

Recommended remediation, mitigation, and detection steps

To address this critical vulnerability in Apache DolphinScheduler, platform and infrastructure teams should take the lead in identifying affected instances, assessing their exposure and criticality, and coordinating remediation. The first practical step is to locate all deployments, confirm whether they are internet-facing or business-critical, and then determine the accountable owner for planning the upgrade to a secure version.

Platform and infrastructure teams own remediation.
Verify instance exposure and business criticality.
Plan and execute upgrades to 3.4.2.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-32966 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Apache DolphinScheduler allows unauthorized disclosure of sensitive data, which can lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Apache DolphinScheduler?

Apache DolphinScheduler is a distributed workflow orchestration platform used to manage and schedule complex data processing tasks. It provides a visual interface for designing data pipelines and automates the execution of jobs across various data sources, making it a critical component for data engineering and infrastructure teams.

What does CVE-2026-32966 mean for system security?

This vulnerability is classified as CWE-863, which refers to incorrect authorization. In plain English, the system fails to verify if a user has permission to perform an action. Specifically in DolphinScheduler, the DataSource API skips this check, allowing anyone to view sensitive metadata about how the system connects to external databases or services.

How does an attacker trigger this vulnerability?

An attacker triggers this by directly accessing the DataSource API without providing any authentication credentials. Importantly, this bug is only triggered when the API is reachable; simply using other parts of the platform or having authorized sessions does not cause this specific disclosure. It is the lack of a mandatory identity check that allows the unintended access.

Is my environment at risk from this Apache DolphinScheduler bug?

Halo Surface Signal notes that while this vulnerability is network-accessible, DolphinScheduler is typically deployed in internal, restricted environments rather than the public internet. You should assess if your specific instance is reachable from untrusted networks, as exposure increases the risk of unauthorized metadata access.

What should I do to address this vulnerability?

The primary response is to update your Apache DolphinScheduler installation to version 3.4.2 or later. You should start by cataloging all running instances to understand where the software is deployed, identifying which versions are affected, and then prioritizing the upgrade process for these systems to ensure the missing authorization check is correctly enforced.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.