How is CVE-2026-32966 exploited?

Network reachability (required): The vulnerable DataSource API endpoint is exposed over the network, so an attacker must be able to reach the DolphinScheduler service via HTTP/HTTPS. Authentication (not-required): The missing authorization check means no credentials of any kind are needed to call the affected API endpoint. Victim interaction (not-required): The attacker sends a direct request to the API; no user action or social engineering is involved. Attack complexity (info): The exploit is straightforward and condition-free: no race conditions, memory layout knowledge, or special environmental factors are required.

What is the impact of CVE-2026-32966?

Reads metadata for all configured data sources, which may include hostnames, ports, database names, and usernames stored in DolphinScheduler. Exposes connection configuration details that an attacker can use to fingerprint backend databases and plan further attacks. Does not modify any data or affect service availability; impact is limited to confidentiality of data source configuration.

Back to search

HIGHCVE-2026-32966Published 2026-06-17Modified 2026-06-17CNA apache

CVE-2026-32966: Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 3.4.2
Affected Products: 1

HarborGuard Analysis

Synopsis

A missing authorization check in the Apache DolphinScheduler DataSource API allows an unauthenticated remote attacker to read data source metadata without any credentials. The vulnerability is reachable over the network and requires no privileges or user interaction to exploit. Successful exploitation exposes connection metadata for configured data sources, which may include hostnames, database names, usernames, and other configuration details. A patched-image rebuild at version 3.4.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Apache DolphinScheduler. Any image running a version prior to 3.4.2 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Apache DolphinScheduler 3.4.2 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable DataSource API endpoint is exposed over the network, so an attacker must be able to reach the DolphinScheduler service via HTTP/HTTPS.
AuthenticationNot required
The missing authorization check means no credentials of any kind are needed to call the affected API endpoint.
Victim interactionNot required
The attacker sends a direct request to the API; no user action or social engineering is involved.
Attack complexityDetail
The exploit is straightforward and condition-free: no race conditions, memory layout knowledge, or special environmental factors are required.

Blast Radius

Reads metadata for all configured data sources, which may include hostnames, ports, database names, and usernames stored in DolphinScheduler.
Exposes connection configuration details that an attacker can use to fingerprint backend databases and plan further attacks.
Does not modify any data or affect service availability; impact is limited to confidentiality of data source configuration.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for all scanned images, with matching running within minutes of the CVE's publication on 2026-06-17. For environments running Apache DolphinScheduler prior to version 3.4.2, a rebuilt image at the fix version is available. Customers with auto-remediation enabled receive a rebuilt image, a regression test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for those environments. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with remediation guidance recommending an upgrade to 3.4.2. In the interim, network-policy controls that restrict unauthenticated access to the DolphinScheduler API plane (for example, requiring a service mesh or API gateway layer in front of the DataSource endpoints) can reduce exposure while an upgrade is scheduled.

See how HarborGuard automates this

Fix available

3.4.2

Affected packages

Apache Software Foundation / Apache DolphinScheduler
< 3.4.2 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available