CVE-2025-62188

EUVD-2025-209369

09.04.2026, 10:16

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler.

This vulnerability may allow unauthorized actors to access sensitive information, including database credentials.


This issue affects Apache DolphinScheduler versions 3.1.*.


Users are recommended to upgrade to:







  *  version ≥ 3.2.0 if using 3.1.x






As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:


```
MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus
```

Alternatively, add the following configuration to the application.yaml file:


```
management:
   endpoints:
     web:
        exposure:
          include: health,metrics,prometheus
```

This issue has been reported as CVE-2023-48796:

 https://cveprocess.apache.org/cve5/CVE-2023-48796

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
apache	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
apache	dolphinscheduler	3.1.0 ≤ 𝑥 < 3.2.0	CNA

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo

https://www.cve.org/CVERecord?id=CVE-2023-48796