CVE-2026-32966 Apache Software Foundation CVE debrief

Who should care

Organizations using Apache DolphinScheduler versions before 3.4.2 should prioritize upgrading to version 3.4.2 or later. This vulnerability's critical severity and potential for remote exploitation without authentication make it a high-risk issue for environments where DolphinScheduler is exposed to untrusted networks or users.

Technical summary

The CVE-2026-32966 vulnerability in Apache DolphinScheduler arises from a missing authorization check in the DataSource API. This API, intended for managing data sources, inadvertently allows unauthorized access to data source metadata. The issue is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high level of exploitability and potential impact. Specifically, attackers can exploit this vulnerability remotely without requiring any user interaction or authentication, potentially leading to the disclosure of sensitive metadata.

Defensive priority

High

Recommended defensive actions

• Upgrade Apache DolphinScheduler to version 3.4.2 or later.
• Implement robust authentication and authorization checks for all API endpoints.
• Conduct regular security audits to identify and address potential vulnerabilities.
• Limit exposure of DolphinScheduler to untrusted networks or users.
• Monitor for suspicious activity related to the DataSource API.
• Review and enhance API security design to prevent similar issues.
• Apply security patches and updates promptly.

Evidence notes

The information provided is based on the CVE-2026-32966 record and related sources. The CVE was published on June 17, 2026, and last modified on the same day. The vulnerability affects Apache DolphinScheduler versions before 3.4.2. The CVSS score of 9.8 indicates a critical vulnerability. The CWE-863 classification emphasizes the issue of missing authorization.

Official resources