Detect Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) in Microsoft Sentinel
Apache DolphinScheduler versions before 3.4.2 contain a missing authorization check in the DataSource API endpoint. An unauthenticated or low-privileged attacker can query data source metadata including connection strings, credentials, hostnames, and database names without appropriate access controls. CVSS 9.8 critical. Public PoC available.
MITRE ATT&CK
- Tactic
- Credential Access Discovery Collection
KQL Detection Query
union isfuzzy=true
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog" or Category == "FrontdoorAccessLog"
| where requestUri_s matches regex @"/dolphinscheduler/datasources(/list|/verify|/connect|/getById|/queryDataSourceList)"
| where httpStatus_s in ("200", "201")
| project TimeGenerated, CallerIPAddress = clientIP_s, RequestUri = requestUri_s, HttpMethod = httpMethod_s, ResponseCode = httpStatus_s, UserAgent = userAgent_s
),
(
W3CIISLog
| where csUriStem matches regex @"/dolphinscheduler/datasources"
| where scStatus in (200, 201)
| project TimeGenerated, CallerIPAddress = cIP, RequestUri = csUriStem, HttpMethod = csMethod, ResponseCode = scStatus, UserAgent = csUserAgent
),
(
CommonSecurityLog
| where DeviceVendor == "Apache" or ApplicationProtocol == "HTTP"
| where RequestURL matches regex @"/dolphinscheduler/datasources"
| where EventOutcome == "200" or EventOutcome == "201"
| project TimeGenerated, CallerIPAddress = SourceIP, RequestUri = RequestURL, HttpMethod = RequestMethod, ResponseCode = EventOutcome, UserAgent = RequestClientApplication
)
| summarize RequestCount = count(), DistinctEndpoints = dcount(RequestUri), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by CallerIPAddress, UserAgent, bin(TimeGenerated, 5m)
| where RequestCount >= 3 or DistinctEndpoints >= 2
| extend RiskScore = case(
RequestCount >= 20, "Critical",
RequestCount >= 10, "High",
DistinctEndpoints >= 3, "High",
"Medium"
)
| project-reorder TimeGenerated, CallerIPAddress, RequestCount, DistinctEndpoints, RiskScore, FirstSeen, LastSeen, UserAgentDetects repeated or enumeration-style HTTP requests to Apache DolphinScheduler DataSource API endpoints that may indicate exploitation of the missing authorization check in CVE-2026-32966. Monitors for burst access patterns across multiple log sources including Azure Application Gateway, IIS, and CEF.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DolphinScheduler administrators performing bulk data source configuration or auditing
- Automated health check or monitoring scripts querying DataSource API endpoints at regular intervals
- CI/CD pipelines that validate data source connectivity during deployment processes
- DolphinScheduler internal service-to-service communication for scheduling tasks
Other platforms for CVE-2026-32966
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated DolphinScheduler DataSource List Enumeration
Expected signal: HTTP GET request to /dolphinscheduler/datasources/list with no Authorization header; HTTP 200 response containing JSON array of data source objects with connection metadata
- Test 2DolphinScheduler DataSource Credential Extraction via getById
Expected signal: Sequential HTTP GET requests to /dolphinscheduler/datasources/[1-20] from same source IP within 10 seconds; multiple HTTP 200 responses; high distinct_endpoints count
- Test 3DolphinScheduler DataSource Verify Endpoint Credential Probe
Expected signal: HTTP POST to /dolphinscheduler/datasources/verify with JSON body containing credential parameters; outbound TCP connection from DolphinScheduler host to TARGET_DB_HOST:3306
Unlock Pro Content
Get the full detection package for CVE-2026-32966 including response playbook, investigation guide, and atomic red team tests.