Apache DolphinScheduler exposes files without authentication

Vulnerability

Overview CVE-2022-26884 is a path traversal vulnerability in Apache DolphinScheduler that allows an unauthenticated attacker to read arbitrary files on the server through the log server component. The root cause is missing authorization checks when the log server serves file contents, enabling access to sensitive system files outside the intended directory [1][3].

Attack

Vector An attacker can exploit this flaw by sending specially crafted requests to the DolphinScheduler log server, which typically listens on a dedicated port. The vulnerability does not require authentication, meaning any network-accessible instance is at risk. The attack surface is broadened because the log server is often exposed to internal or even external networks depending on deployment configuration [3].

Impact

Successful exploitation allows an attacker to read any file readable by the DolphinScheduler process, including configuration files containing credentials, database connection strings, secret keys, and other sensitive data. This can lead to full system compromise if combined with other weaknesses [1][3].

Mitigation

Apache DolphinScheduler users should upgrade to version 2.0.6 or higher, which includes the fix for this vulnerability. No workaround is documented, and the project's release notes confirm this patch addresses the issue [1][3][4].