CVE-2026-32966 Sumo Logic CSE · Sumo

Detect Apache DolphinScheduler DataSource API Missing Authorization - Arbitrary Metadata Disclosure (CVE-2026-32966) in Sumo Logic CSE

Apache DolphinScheduler versions before 3.4.2 contain a missing authorization check in the DataSource API endpoint. An unauthenticated or low-privileged attacker can query data source metadata including connection strings, credentials, hostnames, and database names without appropriate access controls. CVSS 9.8 critical. Public PoC available.

MITRE ATT&CK

Tactic
Credential Access Discovery Collection

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=apache OR _sourceCategory=nginx OR _sourceCategory=iis OR _sourceCategory=web/access
| parse regex "(?<src_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" nodrop
| parse regex "\"(?:GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS) (?<uri_path>[^\" ]+)" nodrop
| parse regex "\"\\s(?<status_code>\\d{3})\\s" nodrop
| where uri_path matches "*/dolphinscheduler/datasources*"
| where status_code in ("200", "201")
| timeslice 5m
| stats count as request_count, dcount(uri_path) as distinct_endpoints, values(uri_path) as accessed_paths by src_ip, _timeslice
| where request_count >= 3 or distinct_endpoints >= 2
| if (request_count >= 20, "critical", if (request_count >= 10, "high", if (distinct_endpoints >= 3, "high", "medium"))) as risk_level
| sort by request_count desc
critical severity medium confidence

Sumo Logic query detecting abnormal access patterns to Apache DolphinScheduler DataSource API endpoints consistent with CVE-2026-32966 exploitation, using regex parsing on web access logs.

Data Sources

Apache access logsNginx access logsIIS access logsWeb proxy logs

Required Tables

apache_accessnginx_accessiis_access

False Positives & Tuning

  • Scheduled jobs within DolphinScheduler that validate multiple data source connections
  • Administrative scripts enumerating datasources for documentation or auditing
  • Web application firewalls or API gateways performing upstream health validation
  • Developers testing DolphinScheduler integrations in staging environments sharing log pipelines

Other platforms for CVE-2026-32966

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated DolphinScheduler DataSource List Enumeration

    Expected signal: HTTP GET request to /dolphinscheduler/datasources/list with no Authorization header; HTTP 200 response containing JSON array of data source objects with connection metadata

  2. Test 2DolphinScheduler DataSource Credential Extraction via getById

    Expected signal: Sequential HTTP GET requests to /dolphinscheduler/datasources/[1-20] from same source IP within 10 seconds; multiple HTTP 200 responses; high distinct_endpoints count

  3. Test 3DolphinScheduler DataSource Verify Endpoint Credential Probe

    Expected signal: HTTP POST to /dolphinscheduler/datasources/verify with JSON body containing credential parameters; outbound TCP connection from DolphinScheduler host to TARGET_DB_HOST:3306

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-32966 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0007DiscoveryTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1046Network Service Discovery

Same Tactic: Credential Access

Popular Detections