The Apache SkyWalking OAP /debugging/config/dump endpoint can expose sensitive database configuration details, including MySQL or PostgreSQL credentials, to an attacker. When accessed, the response contains configuration values that could be used to compromise the underlying database. The CWE indicates a privacy compromise due to inadequate data handling. The likely attack vector is limited to users who can reach the open endpoint and may require local or remote access if authentication or firewall controls are lax. Based on the description, it is inferred that unauthenticated or low‑privileged users could consume this data.

Apache SkyWalking versions 9.7.0 through 10.3.0 are affected. The vendor release 10.4.0 contains the fix and is the recommended version for all deployments.

The CVSS score is 7.5, and the EPSS score is less than 1%, indicating that while the vulnerability poses a moderate-to-high severity risk, its exploitation likelihood is currently low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. While the endpoint can leak confidential data, an attacker must first reach the endpoint; the lack of public exploitation evidence suggests a moderate risk, yet any exposure of database credentials is severe for confidentiality. The highest rating comes from the potential for total loss of database integrity if those credentials could be used to modify or delete data.