Description
DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the Apache DolphinScheduler DataSource API allows an attacker to obtain arbitrary data source metadata. This omission is classified as a CWE‑863 vulnerability and can expose sensitive connection details, potentially facilitating further attacks. The impact is primarily the compromise of confidentiality for the underlying data sources.

Affected Systems

Apache Software Foundation’s Apache DolphinScheduler versions released before 3.4.2 are vulnerable. The issue affects all installations running those earlier releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the EPSS score of <1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via the exposed DataSource API endpoint, which does not enforce proper authorization, enabling any user who can reach the API to retrieve metadata. Given the potential for sensitive information exposure, the risk to affected organizations is moderate but warrants prompt remediation.

Generated by OpenCVE AI on June 18, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache DolphinScheduler to version 3.4.2 or later.
  • If an upgrade is not immediately possible, limit network exposure of the DataSource API by configuring firewall rules or reverse‑proxy authentication to ensure only authorized users can access it.
  • Verify that the system’s access‑control configuration enforces proper authorization checks against the DataSource endpoints.

Generated by OpenCVE AI on June 18, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r989-cjhx-3v49 Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache dolphinscheduler
Vendors & Products Apache
Apache dolphinscheduler

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Title Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Weaknesses CWE-863
References

Subscriptions

Apache Dolphinscheduler
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-17T15:34:06.325Z

Reserved: 2026-03-17T01:50:30.908Z

Link: CVE-2026-32966

cve-icon Vulnrichment

Updated: 2026-06-17T09:39:51.818Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:05Z

Weaknesses