Apache dolphinscheduler sensitive information disclosure
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.
The information exposed to unauthorized actors may include sensitive data such as database credentials.
Users who can't upgrade to the fixed version can also set environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus to workaround this, or add the following section in the application.yaml file
management:
endpoints:
web:
exposure:
include: health,metrics,prometheus
This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.
Users are recommended to upgrade to version 3.0.2, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler before 3.0.2 and 3.1.0 to 3.2.0 exposes sensitive information including database credentials to unauthorized actors.
Vulnerability
Overview
CVE-2023-48796 is an information disclosure vulnerability in Apache DolphinScheduler, a modern data orchestration platform [2]. The flaw allows an unauthorized actor to access sensitive information, including database credentials, due to improper exposure of management endpoints [1][4]. This affects versions 3.0.0 before 3.0.2, and also versions 3.1.0 before 3.2.0 as clarified in a later advisory [3][4].
Exploitation
Context
The vulnerable component is likely the management endpoints exposed by the Spring Actuator framework used in DolphinScheduler. Without proper restriction, these endpoints may leak sensitive configuration details. An attacker does not require authentication to access this information if the endpoints are exposed on the network [1][4]. The attack surface includes any network-accessible instance of the affected versions.
Impact
Successful exploitation allows an attacker to obtain sensitive data such as database credentials. This can lead to further compromise of the database backend, including data exfiltration, modification, or denial of service [1][3]. The severity is rated as important [3][4].
Mitigation
The fixed version is Apache DolphinScheduler 3.0.2 for the 3.0.x line, and users of 3.1.x should upgrade to 3.2.0 [3][4]. Administrators who cannot immediately upgrade can apply a workaround by restricting management endpoint exposure. Setting the environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus or adding the corresponding configuration in application.yaml will limit exposed endpoints to safe ones [1][4].
- NVD - CVE-2023-48796
- GitHub - apache/dolphinscheduler: Apache DolphinScheduler is the modern data orchestration platform. Agile to create high performance workflow with low-code
- security - CVE-2023-48796: Apache DolphinScheduler: Sensitive information disclosure
- security - CVE-2023-48796: Apache dolphinscheduler sensitive information disclosure
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | >= 3.0.0, < 3.0.2 | 3.0.2 |
apache-dolphinschedulerPyPI | >= 3.0.0, < 3.0.2 | 3.0.2 |
Affected products
3- ghsa-coords2 versions
>= 3.0.0, < 3.0.2+ 1 more
- (no CPE)range: >= 3.0.0, < 3.0.2
- (no CPE)range: >= 3.0.0, < 3.0.2
- Apache Software Foundation/Apache DolphinSchedulerv5Range: 3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-4vvc-r4p4-qgrrghsaADVISORY
- lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvoghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-48796ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/11/24/1ghsaWEB
- www.openwall.com/lists/oss-security/2025/11/28/1ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2023-268.yamlghsaWEB
News mentions
0No linked articles in our index yet.