External risk intelligence

Apache DolphinScheduler Unauthorized Access Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-32967

An incorrect authorization flaw exists in Apache DolphinScheduler's experimental `/v2` interface. This vulnerability, if reachable, could allow unauthenticated users to gain unauthorized access and potentially modify data. This impacts workflow orchestration platforms and warrants attention to assess exposure and plan

Apache Dolphinscheduler

before 3.4.2

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

Apache DolphinScheduler is a workflow orchestration platform. While it often operates within internal data processing networks, its interfaces, including API components, are sometimes exposed to authorized users or integrated into external-facing service architectures, making internet reachability possible depending on how the organization deploys the management console.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the experimental interface of Apache DolphinScheduler could allow unauthorized access and modification of data. This issue impacts earlier versions of the software.

  • Unauthorized access and data modification risk.
  • Affects workflow orchestration platforms.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could potentially reach the experimental `/v2` interface of Apache DolphinScheduler over the network. If successful, they could exploit an authorization flaw within this interface to gain unauthorized access and potentially alter data or system behavior.

  • No authentication or special access required.
  • Vulnerable experimental interface is triggered.
  • Risk of unauthorized access and data modification.

Live Threat

Current exploitation, exposure, and threat context

An incorrect authorization vulnerability in the experimental `/v2` interface of Apache DolphinScheduler could allow unauthorized access to system functionalities and data. This could occur when the interface is exposed and accessed without proper authentication, potentially impacting service behavior and sensitive information.

  • System configuration and data.
  • Unauthorized access to the `/v2` interface.
  • Compromise of workflow orchestration.

Operational Fix

Recommended remediation, mitigation, and detection steps

An incorrect authorization vulnerability in Apache DolphinScheduler's experimental `/v2` interface requires immediate attention from teams managing the platform. The first step is to identify all instances of DolphinScheduler, determine their network exposure and criticality, and then engage the accountable owners to plan remediation.

  • Platform or application owners should manage this.
  • Verify DolphinScheduler network reachability.
  • Plan upgrade or implement compensating controls.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-32967 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Apache DolphinScheduler vulnerability allows unauthorized access, which can lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Apache DolphinScheduler?

Apache DolphinScheduler is a distributed workflow orchestration platform designed to manage complex data processing tasks and pipelines. It provides a visual interface for scheduling jobs and monitoring data workflows, acting as the central engine for organizing how data moves and transforms across an organization's infrastructure.

What does CVE-2026-32967 mean for system security?

This CVE describes an Incorrect Authorization vulnerability (CWE-863). Essentially, the software fails to properly verify if a user has permission to perform actions within its experimental /v2 interface. This oversight allows someone to interact with parts of the system and modify data or settings they should not have access to, bypassing intended security restrictions.

How is this vulnerability triggered in DolphinScheduler?

The flaw is triggered by interacting with the experimental /v2 interface without valid authentication. It is important to note that this issue is specific to this particular interface; standard interactions or components outside of this specific /v2 experimental pathway are not identified as the source of this authorization failure.

Do I need to worry if my instance is not on the internet?

Halo Surface Signal indicates that while DolphinScheduler is often used in internal networks, some organizations integrate its APIs into external-facing architectures. If your instance is reachable from the internet, the risk is higher. You should assess your specific deployment environment to determine if this interface is accessible beyond your internal security perimeter.

How should I respond to this vulnerability?

The primary step is to identify all running instances of DolphinScheduler within your environment. Once identified, verify their network reachability and prioritize those that are exposed. Plan to upgrade your software to version 3.4.2 or later, as this release contains the necessary fixes to resolve the authorization weakness.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished