High severityNVD Advisory· Published Nov 24, 2022· Updated Apr 25, 2025
Apache DolphinScheduler config file read by task risk
CVE-2022-26885
Description
Apache DolphinScheduler tasks can expose database passwords when reading config files; upgrade to 2.0.6 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler tasks can expose database passwords when reading config files; upgrade to 2.0.6 or later.
Vulnerability
CVE-2022-26885 is a vulnerability in Apache DolphinScheduler where tasks that read configuration files may inadvertently disclose database passwords. The root cause is that tasks have access to configuration files that may contain sensitive credentials. [2]
Exploitation
An attacker who can create or execute tasks within DolphinScheduler could exploit this flaw by crafting tasks that read config files containing database passwords. The attack requires some level of access to the DolphinScheduler instance, but no special authentication beyond normal task permissions is mentioned. [2]
Impact
Successful exploitation leads to disclosure of database credentials, potentially allowing unauthorized access to the underlying database, leading to data breaches or further compromise. [2]
Mitigation
The Apache Software Foundation has addressed this vulnerability in DolphinScheduler version 2.0.6. Users are strongly advised to upgrade to version 2.0.6 or later. The release notes for 2.0.6 include numerous bug fixes and security improvements. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinscheduler-commonMaven | < 2.0.6 | 2.0.6 |
Affected products
2- Range: Apache DolphinScheduler
Patches
16aaf6e39ed87[maven-release-plugin] prepare release 2.0.6
50 files changed · +51 −51
dolphinscheduler-alert/dolphinscheduler-alert-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>dolphinscheduler-alert</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-api</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-dingtalk/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-alert-plugins</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-dingtalk</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-email/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-alert-plugins</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-email</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-feishu/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-alert-plugins</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-feishu</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-http/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-alert-plugins</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-http</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-alert-plugins</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-script</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-slack/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-alert-plugins</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-slack</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-wechat/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-alert-plugins</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-wechat</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-plugins/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-alert</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-alert-plugins</artifactId>
dolphinscheduler-alert/dolphinscheduler-alert-server/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler-alert</artifactId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <artifactId>dolphinscheduler-alert-server</artifactId> <name>${project.artifactId}</name>
dolphinscheduler-alert/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <packaging>pom</packaging>
dolphinscheduler-api/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <artifactId>dolphinscheduler-api</artifactId> <name>${project.artifactId}</name>
dolphinscheduler-common/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <artifactId>dolphinscheduler-common</artifactId> <name>dolphinscheduler-common</name>
dolphinscheduler-dao/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <artifactId>dolphinscheduler-dao</artifactId> <name>${project.artifactId}</name>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-all/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-clickhouse/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-db2/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-hive/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-mysql/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-oracle/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-postgresql/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-sqlserver/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <artifactId>dolphinscheduler-datasource-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-datasource-plugin/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-datasource-plugin</artifactId>
dolphinscheduler-dist/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-python/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <artifactId>dolphinscheduler-python</artifactId> <name>${project.artifactId}</name>
dolphinscheduler-registry/dolphinscheduler-registry-api/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>dolphinscheduler-registry</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-registry/dolphinscheduler-registry-plugins/dolphinscheduler-registry-zookeeper/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-registry-plugins</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-registry/dolphinscheduler-registry-plugins/pom.xml+1 −1 modified@@ -22,7 +22,7 @@ <parent> <artifactId>dolphinscheduler-registry</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <artifactId>dolphinscheduler-registry-plugins</artifactId> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-registry/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-registry</artifactId>
dolphinscheduler-remote/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-server/pom.xml+1 −1 modified@@ -21,7 +21,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <artifactId>dolphinscheduler-server</artifactId> <name>dolphinscheduler-server</name>
dolphinscheduler-service/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-spi/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <artifactId>dolphinscheduler-spi</artifactId> <name>${project.artifactId}</name>
dolphinscheduler-standalone-server/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-api/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <packaging>jar</packaging>
dolphinscheduler-task-plugin/dolphinscheduler-task-datax/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-flink/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-http/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-mr/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-pigeon/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-procedure/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-python/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-shell/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-spark/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>dolphinscheduler-task-spark</artifactId>
dolphinscheduler-task-plugin/dolphinscheduler-task-sql/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/dolphinscheduler-task-sqoop/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler-task-plugin</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-task-plugin/pom.xml+1 −1 modified@@ -19,7 +19,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
dolphinscheduler-ui/pom.xml+1 −1 modified@@ -20,7 +20,7 @@ <parent> <artifactId>dolphinscheduler</artifactId> <groupId>org.apache.dolphinscheduler</groupId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> </parent> <modelVersion>4.0.0</modelVersion>
pom.xml+2 −2 modified@@ -19,7 +19,7 @@ <modelVersion>4.0.0</modelVersion> <groupId>org.apache.dolphinscheduler</groupId> <artifactId>dolphinscheduler</artifactId> - <version>2.0.6-SNAPSHOT</version> + <version>2.0.6</version> <packaging>pom</packaging> <name>${project.artifactId}</name> <url>https://dolphinscheduler.apache.org</url> @@ -38,7 +38,7 @@ <connection>scm:git:https://github.com/apache/dolphinscheduler.git</connection> <developerConnection>scm:git:https://github.com/apache/dolphinscheduler.git</developerConnection> <url>https://github.com/apache/dolphinscheduler</url> - <tag>HEAD</tag> + <tag>2.0.6</tag> </scm> <mailingLists> <mailingList>
Vulnerability mechanics
Root cause
"Sensitive configuration values (database passwords) are exposed when tasks read config files."
Attack vector
An attacker who can create or modify task definitions can trigger the reading of config files that contain database credentials. When the task executes, the database password is disclosed through the task's output or logs. The attack requires the ability to define tasks within the DolphinScheduler environment [patch_id=1641634]. No authentication bypass is needed if the attacker already has task creation privileges.
Affected code
The vulnerability exists in the Apache DolphinScheduler task mechanism that reads configuration files. When tasks are configured to read config files, the database password is exposed in a way that could be accessed by unauthorized users. The patch modifies how configuration values are handled during task execution to prevent this leakage.
What the fix does
The patch [patch_id=1641634] addresses the vulnerability by ensuring that sensitive configuration values such as database passwords are not exposed when tasks read config files. The exact changes involve sanitizing or restricting access to configuration properties that contain credentials. This prevents the password from appearing in task outputs, logs, or other accessible locations during task execution.
Preconditions
- authAttacker must have the ability to create or modify task definitions in Apache DolphinScheduler
- configThe task must be configured to read config files that contain database credentials
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.