CVE-2026-32966 CrowdStrike LogScale · LogScale

Detect Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) in CrowdStrike LogScale

Apache DolphinScheduler versions before 3.4.2 contain a missing authorization check in the DataSource API endpoint. An unauthenticated or low-privileged attacker can query data source metadata including connection strings, credentials, hostnames, and database names without appropriate access controls. CVSS 9.8 critical. Public PoC available.

MITRE ATT&CK

Tactic
Credential Access Discovery Collection

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkReceiveAcceptIP OR #event_simpleName=NetworkConnectIP
| CommandLine = /dolphinscheduler/
| HttpPath = "*/dolphinscheduler/datasources*"
| HttpStatusCode in (200, 201)
| groupBy([RemoteAddressIP4, HttpPath, HttpStatusCode], function=[
    count(aid, as=request_count),
    min(@timestamp, as=first_seen),
    max(@timestamp, as=last_seen),
    collect(HttpPath, as=endpoints_accessed)
  ])
| where request_count >= 3
| eval risk = if(request_count >= 20, "critical", if(request_count >= 10, "high", "medium"))
| sort(request_count, order=desc)
| select(RemoteAddressIP4, request_count, endpoints_accessed, HttpStatusCode, risk, first_seen, last_seen)
critical severity medium confidence

CrowdStrike Falcon LogScale/CQL query identifying hosts generating multiple HTTP 200/201 responses to DolphinScheduler DataSource API paths, targeting endpoints vulnerable to CVE-2026-32966 missing authorization.

Data Sources

CrowdStrike Falcon network eventsHTTP proxy telemetryEndpoint network connection events

Required Tables

crowdstrike:events:NetworkReceiveAcceptIPcrowdstrike:events:NetworkConnectIP

False Positives & Tuning

  • Legitimate DolphinScheduler API clients performing batch data source operations
  • Red team exercises with active CrowdStrike monitoring in place
  • Automated DevOps pipelines provisioning data sources during environment setup
  • Scheduled DolphinScheduler internal jobs scanning available data sources for task execution

Other platforms for CVE-2026-32966

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated DolphinScheduler DataSource List Enumeration

    Expected signal: HTTP GET request to /dolphinscheduler/datasources/list with no Authorization header; HTTP 200 response containing JSON array of data source objects with connection metadata

  2. Test 2DolphinScheduler DataSource Credential Extraction via getById

    Expected signal: Sequential HTTP GET requests to /dolphinscheduler/datasources/[1-20] from same source IP within 10 seconds; multiple HTTP 200 responses; high distinct_endpoints count

  3. Test 3DolphinScheduler DataSource Verify Endpoint Credential Probe

    Expected signal: HTTP POST to /dolphinscheduler/datasources/verify with JSON body containing credential parameters; outbound TCP connection from DolphinScheduler host to TARGET_DB_HOST:3306

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-32966 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0007DiscoveryTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1046Network Service Discovery

Same Tactic: Credential Access

Popular Detections