CVE-2026-32966 Elastic Security · Elastic

Detect Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) in Elastic Security

Apache DolphinScheduler versions before 3.4.2 contain a missing authorization check in the DataSource API endpoint. An unauthenticated or low-privileged attacker can query data source metadata including connection strings, credentials, hostnames, and database names without appropriate access controls. CVSS 9.8 critical. Public PoC available.

MITRE ATT&CK

Tactic
Credential Access Discovery Collection

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where event.category == "network" and event.dataset in ("apache.access", "nginx.access", "iis.access") and
   url.path : "*/dolphinscheduler/datasources*" and
   http.response.status_code in (200, 201)]
  [network where event.category == "network" and event.dataset in ("apache.access", "nginx.access", "iis.access") and
   url.path : "*/dolphinscheduler/datasources*" and
   http.response.status_code in (200, 201)]
critical severity medium confidence

EQL sequence rule detecting two or more successful requests to DolphinScheduler DataSource API from the same source IP within 5 minutes, indicating potential CVE-2026-32966 exploitation or reconnaissance.

Data Sources

Apache access logsNginx access logsIIS access logsFilebeat web logs

Required Tables

logs-apache.access-*logs-nginx.access-*logs-iis.access-*

False Positives & Tuning

  • Administrative users performing multiple datasource configuration checks
  • Monitoring agents making periodic connectivity validation calls
  • Automated test frameworks exercising the DolphinScheduler API
  • Load balancers performing upstream health checks on the DolphinScheduler API

Other platforms for CVE-2026-32966

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated DolphinScheduler DataSource List Enumeration

    Expected signal: HTTP GET request to /dolphinscheduler/datasources/list with no Authorization header; HTTP 200 response containing JSON array of data source objects with connection metadata

  2. Test 2DolphinScheduler DataSource Credential Extraction via getById

    Expected signal: Sequential HTTP GET requests to /dolphinscheduler/datasources/[1-20] from same source IP within 10 seconds; multiple HTTP 200 responses; high distinct_endpoints count

  3. Test 3DolphinScheduler DataSource Verify Endpoint Credential Probe

    Expected signal: HTTP POST to /dolphinscheduler/datasources/verify with JSON body containing credential parameters; outbound TCP connection from DolphinScheduler host to TARGET_DB_HOST:3306

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-32966 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0007DiscoveryTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1046Network Service Discovery

Same Tactic: Credential Access

Popular Detections