CVE-2026-32966: Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure

June 17, 2026 (updated June 18, 2026)

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

References

github.com/advisories/GHSA-r989-cjhx-3v49
lists.apache.org/thread/4f1fojpj26z9y5nd1ko845gcknpn75g2
nvd.nist.gov/vuln/detail/CVE-2026-32966

Code Behaviors & Features

Detect and mitigate CVE-2026-32966 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →