CVE-2025-62188

HIGH

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

Title source: cna

Description

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo

https://www.cve.org/CVERecord?id=CVE-2023-48796

Scores

CVSS v3 7.5

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

apache/dolphinscheduler 3.1.0 - 3.2.0

Apache Software Foundation/Apache DolphinScheduler 3.1.0 - 3.2.0

org.apache.dolphinscheduler/dolphinscheduler 3.1.0 - 3.2.0Maven

Published Apr 09, 2026

Tracked Since Apr 09, 2026