CVE-2025-62188

HIGH 7.5

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

5th

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796

CWE	CWE-200
Vendor	apache software foundation
Product	apache dolphinscheduler
Published	Apr 9, 2026
Last Updated	Apr 9, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache dolphinscheduler

Be the first to know when new high vulnerabilities affecting apache software foundation apache dolphinscheduler are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache DolphinScheduler

3.1.0 < 3.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo cve.org: https://www.cve.org/CVERecord?id=CVE-2023-48796

Credits

w aiyou 🔍 魏大创