Detect Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) in Splunk
Apache DolphinScheduler versions before 3.4.2 contain a missing authorization check in the DataSource API endpoint. An unauthenticated or low-privileged attacker can query data source metadata including connection strings, credentials, hostnames, and database names without appropriate access controls. CVSS 9.8 critical. Public PoC available.
MITRE ATT&CK
- Tactic
- Credential Access Discovery Collection
SPL Detection Query
index=web OR index=proxy OR index=apache sourcetype IN ("access_combined", "access_combined_wcookie", "iis", "apache:access", "pan:traffic", "squid")
(uri_path="*/dolphinscheduler/datasources*" OR cs_uri_stem="*/dolphinscheduler/datasources*" OR url="*/dolphinscheduler/datasources*")
(status=200 OR status=201 OR sc_status=200 OR sc_status=201)
| eval endpoint=coalesce(uri_path, cs_uri_stem, url),
src_ip=coalesce(src_ip, c_ip, clientip, src),
useragent=coalesce(useragent, cs_useragent, http_user_agent),
method=coalesce(method, cs_method, http_method)
| stats count AS request_count,
dc(endpoint) AS distinct_endpoints,
values(endpoint) AS endpoints_accessed,
values(method) AS methods_used,
min(_time) AS first_seen,
max(_time) AS last_seen
BY src_ip, useragent
| where request_count >= 3 OR distinct_endpoints >= 2
| eval risk_score=case(
request_count >= 20, "critical",
request_count >= 10, "high",
distinct_endpoints >= 3, "high",
true(), "medium"
)
| eval duration_seconds=last_seen - first_seen
| sort -request_count
| table src_ip, request_count, distinct_endpoints, endpoints_accessed, methods_used, risk_score, duration_seconds, first_seen, last_seen, useragentDetects enumeration or exploitation attempts against Apache DolphinScheduler DataSource API endpoints indicative of CVE-2026-32966 missing authorization abuse. Correlates source IP access patterns across web/proxy log sourcetypes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate bulk administrative queries from DolphinScheduler management tooling
- Automated monitoring or synthetic transaction testing tools
- Internal service mesh health checks hitting DataSource endpoints
- Security scanners running authorized vulnerability assessments
Other platforms for CVE-2026-32966
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated DolphinScheduler DataSource List Enumeration
Expected signal: HTTP GET request to /dolphinscheduler/datasources/list with no Authorization header; HTTP 200 response containing JSON array of data source objects with connection metadata
- Test 2DolphinScheduler DataSource Credential Extraction via getById
Expected signal: Sequential HTTP GET requests to /dolphinscheduler/datasources/[1-20] from same source IP within 10 seconds; multiple HTTP 200 responses; high distinct_endpoints count
- Test 3DolphinScheduler DataSource Verify Endpoint Credential Probe
Expected signal: HTTP POST to /dolphinscheduler/datasources/verify with JSON body containing credential parameters; outbound TCP connection from DolphinScheduler host to TARGET_DB_HOST:3306
Unlock Pro Content
Get the full detection package for CVE-2026-32966 including response playbook, investigation guide, and atomic red team tests.