Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966)
Apache DolphinScheduler versions before 3.4.2 contain a missing authorization check in the DataSource API endpoint. An unauthenticated or low-privileged attacker can query data source metadata including connection strings, credentials, hostnames, and database names without appropriate access controls. CVSS 9.8 critical. Public PoC available.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- maven
- Product
- org.apache.dolphinscheduler:dolphinscheduler-api
- Versions
- < 3.4.2
Weakness (CWE)
Timeline
- Disclosed
- June 17, 2026
What is CVE-2026-32966 Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966)?
Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) (CVE-2026-32966) maps to the Credential Access and Discovery and Collection tactics — the adversary is trying to steal account names and passwords in MITRE ATT&CK.
This page provides production-ready detection logic for Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966), covering the data sources and telemetry it touches: AzureDiagnostics, W3CIISLog, CommonSecurityLog, AzureActivityLog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Credential Access Discovery Collection
union isfuzzy=true
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog" or Category == "FrontdoorAccessLog"
| where requestUri_s matches regex @"/dolphinscheduler/datasources(/list|/verify|/connect|/getById|/queryDataSourceList)"
| where httpStatus_s in ("200", "201")
| project TimeGenerated, CallerIPAddress = clientIP_s, RequestUri = requestUri_s, HttpMethod = httpMethod_s, ResponseCode = httpStatus_s, UserAgent = userAgent_s
),
(
W3CIISLog
| where csUriStem matches regex @"/dolphinscheduler/datasources"
| where scStatus in (200, 201)
| project TimeGenerated, CallerIPAddress = cIP, RequestUri = csUriStem, HttpMethod = csMethod, ResponseCode = scStatus, UserAgent = csUserAgent
),
(
CommonSecurityLog
| where DeviceVendor == "Apache" or ApplicationProtocol == "HTTP"
| where RequestURL matches regex @"/dolphinscheduler/datasources"
| where EventOutcome == "200" or EventOutcome == "201"
| project TimeGenerated, CallerIPAddress = SourceIP, RequestUri = RequestURL, HttpMethod = RequestMethod, ResponseCode = EventOutcome, UserAgent = RequestClientApplication
)
| summarize RequestCount = count(), DistinctEndpoints = dcount(RequestUri), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by CallerIPAddress, UserAgent, bin(TimeGenerated, 5m)
| where RequestCount >= 3 or DistinctEndpoints >= 2
| extend RiskScore = case(
RequestCount >= 20, "Critical",
RequestCount >= 10, "High",
DistinctEndpoints >= 3, "High",
"Medium"
)
| project-reorder TimeGenerated, CallerIPAddress, RequestCount, DistinctEndpoints, RiskScore, FirstSeen, LastSeen, UserAgentDetects repeated or enumeration-style HTTP requests to Apache DolphinScheduler DataSource API endpoints that may indicate exploitation of the missing authorization check in CVE-2026-32966. Monitors for burst access patterns across multiple log sources including Azure Application Gateway, IIS, and CEF.
Data Sources
Required Tables
False Positives
- Legitimate DolphinScheduler administrators performing bulk data source configuration or auditing
- Automated health check or monitoring scripts querying DataSource API endpoints at regular intervals
- CI/CD pipelines that validate data source connectivity during deployment processes
- DolphinScheduler internal service-to-service communication for scheduling tasks
Sigma rule & cross-platform mapping
The detection logic for Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) (CVE-2026-32966) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-32966
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated DolphinScheduler DataSource List Enumeration
Expected signal: HTTP GET request to /dolphinscheduler/datasources/list with no Authorization header; HTTP 200 response containing JSON array of data source objects with connection metadata
- Test 2DolphinScheduler DataSource Credential Extraction via getById
Expected signal: Sequential HTTP GET requests to /dolphinscheduler/datasources/[1-20] from same source IP within 10 seconds; multiple HTTP 200 responses; high distinct_endpoints count
- Test 3DolphinScheduler DataSource Verify Endpoint Credential Probe
Expected signal: HTTP POST to /dolphinscheduler/datasources/verify with JSON body containing credential parameters; outbound TCP connection from DolphinScheduler host to TARGET_DB_HOST:3306
Unlock Pro Content
Get the full detection package for CVE-2026-32966 including response playbook, investigation guide, and atomic red team tests.