Apache DolphinScheduler: Information Leakage Vulnerability
Description
Apache DolphinScheduler before 3.2.1 logs session IDs into plain-text logs, allowing unauthorized actors to hijack sessions and access sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache DolphinScheduler before 3.2.1 logs session IDs into plain-text logs, allowing unauthorized actors to hijack sessions and access sensitive information.
Vulnerability
Overview
CVE-2023-49068 is an information exposure vulnerability in Apache DolphinScheduler, an open-source distributed workflow orchestration platform [2]. The flaw affects versions prior to 3.2.1 and stems from the application logging sensitive session identifiers (session IDs) into system logs during user authentication [4]. While the log is typically only accessible to operators, the explicit recording of session IDs introduces a risk of session hijacking if those logs are exposed or leaked [1][4].
Exploitation
Vector
The vulnerability is triggered automatically during the authentication process. When a user logs in, the session ID is recorded in a log statement such as log.info("Session is created and sessionId is :{ }.", sessionId). An attacker who gains read access to the logs—through misconfigured log storage, compromised logging infrastructure, or insider threats—can extract active session IDs. No special privileges or additional authentication on the DolphinScheduler instance are required beyond access to the logs.
Impact
An unauthorized actor who obtains a valid session ID can impersonate the legitimate user, gaining the same level of access to the DolphinScheduler instance. This includes viewing, modifying, or running workflows, accessing data source configurations, and potentially exfiltrating sensitive orchestration metadata or credentials. The confidentiality of the system is compromised, and the attack can lead to privilege escalation or data breaches.
Mitigation
Apache has addressed the issue by modifying the authentication log to remove the session ID and instead log only the username (e.g., log.info("Session is created, userName:{ }.", user.getUserName())) in commit 7308888 [4]. The fix is included in version 3.2.1 [1]. Users who cannot immediately upgrade should restrict log access to trusted operators and consider rotating any exposed session tokens [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinscheduler-apiMaven | < 3.2.1 | 3.2.1 |
Affected products
2- Range: 0
Patches
17308888c703ffix security issue (#15192)
1 file changed · +1 −1
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/AbstractAuthenticator.java+1 −1 modified@@ -95,7 +95,7 @@ public Result<Map<String, String>> authenticate(String userId, String password, return result; } - log.info("Session is created and sessionId is :{}.", sessionId); + log.info("Session is created, userName:{}.", user.getUserName()); Map<String, String> data = new HashMap<>(); data.put(Constants.SESSION_ID, sessionId);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c6cg-73p3-973hghsaADVISORY
- lists.apache.org/thread/jn6kr6mjdgtfgpxoq9j8q4pkfsq8zmpqghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-49068ghsaADVISORY
- github.com/apache/dolphinscheduler/commit/7308888c703fbe227887d2426273100582096134ghsaWEB
- github.com/apache/dolphinscheduler/pull/15192ghsaissue-trackingWEB
News mentions
0No linked articles in our index yet.