A low-severity security issue in Apache DolphinScheduler has been addressed in the latest release.
Identified as CVE-2024-43166 and classified under CWE-276: Incorrect Default Permissions, this vulnerability affects all DolphinScheduler versions prior to 3.2.2. Users are strongly advised to upgrade to version 3.3.1 as soon as possible to mitigate potential risks.
Apache DolphinScheduler is an open-source, distributed scheduling system designed to orchestrate complex data workflows.
It is widely adopted for its extensibility, fault tolerance, and rich monitoring features. On September 3, 2025, security researcher L0ne1y reported that DolphinScheduler’s default file and directory permissions were overly permissive in versions before 3.2.2.
Under these conditions, unauthorized users could, in certain configurations, gain access to files or directories that should have been restricted, potentially exposing sensitive workflow definitions, credentials, or logs.
In shared or multi-tenant environments—common in enterprise data platforms—this could allow a malicious actor or unprivileged user to read configuration files or logs belonging to other users.
The issue was promptly assigned the identifier CVE-2024-43166 and disclosed to the project’s security mailing list by Lidong Dai on Wednesday, September 3, 2025.
Affected Versions and Severity
- Affected: Apache DolphinScheduler versions prior to 3.2.2
- Severity: Low
The vulnerability’s low severity rating reflects that successful exploitation requires local access or existing ability to interact with the DolphinScheduler server’s filesystem. There is no evidence of this flaw being exploited in the wild.
While the vulnerability does not permit direct remote code execution or data exfiltration by itself, it contravenes the principle of least privilege.
The DolphinScheduler development team has remedied the incorrect default permissions in the 3.3.1 release.
This update tightens file and directory creation policies, ensuring that only authorized system users and the DolphinScheduler service account can access critical files. Specifically:
- Workflow definition files now default to permission mode
640(read/write for owner, read for group). - Log files adopt
640by default. - Configuration directories are root-owned with
750permissions, restricting access to the service account and administrators.
These stricter defaults align with industry best practices and the principle of least privilege, reducing attack surface in production deployments.
How to Upgrade
To update your Apache DolphinScheduler installation:
- Backup
- Stop the DolphinScheduler service.
- Backup the existing installation directory and any custom configuration files.
- Download
- Obtain the 3.3.1 binaries or source package.
- Install
- Replace the old binary or extract the new package.
- Verify that your
conf/directory retains your custom settings. - Ensure that file ownership and group assignments are correct: bash
chown -R dolphinscheduler:dolphinscheduler /opt/dolphinscheduler find /opt/dolphinscheduler -type f -exec chmod 640 {} ; find /opt/dolphinscheduler -type d -exec chmod 750 {} ;
- Restart and Verify
- Start the DolphinScheduler service.
- Check logs to confirm successful startup.
- Validate that permissions on critical files and directories conform to expectations.
The Apache DolphinScheduler project extends its gratitude to L0ne1y for responsibly disclosing this issue. This report underscores the importance of continuous security reviews and community contributions to open-source software.
Although low in severity, the CVE-2024-43166 default permissions vulnerability emphasizes the necessity of strict file access controls within multi-tenant data systems.
All DolphinScheduler users on versions before 3.2.2 should upgrade to 3.3.1 without delay to ensure robust security foundations and comply with best practices for permission management.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
