Zero Day MonitorZDM

← Back to list

7.5

CVE-2025-62188EXPLOITEDPATCHED

apache · dolphinscheduler

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

Description

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796

Affected Products

Vendor	Product	Versions
apache	dolphinscheduler	3.1.0

References

Related News (1 articles)

Tier C

VulDB15h ago

CVE-2025-62188 | Apache DolphinScheduler up to 3.1.x Management Endpoint information disclosure

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.2.0

CWECWE-200

PublishedApr 9, 2026

Last enriched15h agov2

Trending Score52

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXP

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

HIGHCVE-2026-34486EXP

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

HIGHCVE-2026-27314EXP

Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

LOWCVE-2026-34487EXP

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

LOWCVE-2026-34483EXP

Apache Tomcat: Incomplete escaping of JSON access logs

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, severity, activelyExploited

Apr 9, 2026

Actively Exploited

Apr 9, 2026

Patch Available

Apr 9, 2026

Version History

v2

Last enriched 15h ago

v2Tier C15h ago

Updated description with new details, changed severity to HIGH, and noted that no exploit is available.

descriptionseverityactivelyExploited

via VulDB

v117h ago

Initial creation