CVE-2026-32966 Google Chronicle · YARA-L

Detect Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) in Google Chronicle

Apache DolphinScheduler versions before 3.4.2 contain a missing authorization check in the DataSource API endpoint. An unauthenticated or low-privileged attacker can query data source metadata including connection strings, credentials, hostnames, and database names without appropriate access controls. CVSS 9.8 critical. Public PoC available.

MITRE ATT&CK

Tactic
Credential Access Discovery Collection

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2026_32966_dolphinscheduler_datasource_unauth {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects potential exploitation of CVE-2026-32966 - Apache DolphinScheduler DataSource API missing authorization"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-32966"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.request_url = /\/dolphinscheduler\/datasources/
    $e.network.http.response_code = 200 or
    $e.network.http.response_code = 201
    $ip = $e.principal.ip

  match:
    $ip over 5m

  condition:
    #e >= 3
}
critical severity medium confidence

Chronicle YARA-L 2.0 rule detecting repeated successful HTTP requests to DolphinScheduler DataSource API endpoints from the same source IP, indicating potential CVE-2026-32966 unauthorized data source metadata enumeration.

Data Sources

Chronicle UDM network eventsWeb proxy UDM eventsLoad balancer logs ingested via Chronicle

Required Tables

network_http_events

False Positives & Tuning

  • DolphinScheduler worker nodes legitimately polling the API for task scheduling context
  • Authorized security assessments running API enumeration tooling
  • Internal monitoring systems checking data source availability via the API
  • Scripted administrative operations creating multiple data source entries in sequence

Other platforms for CVE-2026-32966

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated DolphinScheduler DataSource List Enumeration

    Expected signal: HTTP GET request to /dolphinscheduler/datasources/list with no Authorization header; HTTP 200 response containing JSON array of data source objects with connection metadata

  2. Test 2DolphinScheduler DataSource Credential Extraction via getById

    Expected signal: Sequential HTTP GET requests to /dolphinscheduler/datasources/[1-20] from same source IP within 10 seconds; multiple HTTP 200 responses; high distinct_endpoints count

  3. Test 3DolphinScheduler DataSource Verify Endpoint Credential Probe

    Expected signal: HTTP POST to /dolphinscheduler/datasources/verify with JSON body containing credential parameters; outbound TCP connection from DolphinScheduler host to TARGET_DB_HOST:3306

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-32966 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0007DiscoveryTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1046Network Service Discovery

Same Tactic: Credential Access

Popular Detections