CVE-2026-32966 IBM QRadar · QRadar

Detect Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) in IBM QRadar

Apache DolphinScheduler versions before 3.4.2 contain a missing authorization check in the DataSource API endpoint. An unauthenticated or low-privileged attacker can query data source metadata including connection strings, credentials, hostnames, and database names without appropriate access controls. CVSS 9.8 critical. Public PoC available.

MITRE ATT&CK

Tactic
Credential Access Discovery Collection

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  COUNT(*) AS request_count,
  COUNT(DISTINCT "URL") AS distinct_endpoints,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen,
  "User-Agent" AS user_agent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Microsoft IIS', 'Nginx', 'F5 BIG-IP LTM')
  AND ("URL" ILIKE '%/dolphinscheduler/datasources%')
  AND ("responseCode" = '200' OR "responseCode" = '201' OR "responseCode" = 200 OR "responseCode" = 201)
  AND LOGSOURCETIME(starttime) > NOW() - 1 HOURS
GROUP BY
  sourceip,
  "User-Agent"
HAVING
  COUNT(*) >= 3
  OR COUNT(DISTINCT "URL") >= 2
ORDER BY request_count DESC
LAST 60 MINUTES
critical severity medium confidence

QRadar AQL query identifying source IPs making multiple successful requests to DolphinScheduler DataSource API endpoints, potentially exploiting CVE-2026-32966 to enumerate data source credentials and metadata.

Data Sources

Apache HTTP Server logsIIS logsNginx logsF5 BIG-IP logs

Required Tables

events

False Positives & Tuning

  • Authorized penetration testers running API enumeration scans
  • DolphinScheduler internal workers polling data source health
  • Monitoring dashboards periodically refreshing data source status
  • Backup or migration tools bulk-reading data source configurations

Other platforms for CVE-2026-32966

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated DolphinScheduler DataSource List Enumeration

    Expected signal: HTTP GET request to /dolphinscheduler/datasources/list with no Authorization header; HTTP 200 response containing JSON array of data source objects with connection metadata

  2. Test 2DolphinScheduler DataSource Credential Extraction via getById

    Expected signal: Sequential HTTP GET requests to /dolphinscheduler/datasources/[1-20] from same source IP within 10 seconds; multiple HTTP 200 responses; high distinct_endpoints count

  3. Test 3DolphinScheduler DataSource Verify Endpoint Credential Probe

    Expected signal: HTTP POST to /dolphinscheduler/datasources/verify with JSON body containing credential parameters; outbound TCP connection from DolphinScheduler host to TARGET_DB_HOST:3306

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-32966 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0007DiscoveryTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1046Network Service Discovery

Same Tactic: Credential Access

Popular Detections