{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30778", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-05T01:06:13.446Z", "datePublished": "2026-04-15T10:54:25.212Z", "dateUpdated": "2026-04-16T12:05:25.254Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache SkyWalking", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "10.3.0", "status": "affected", "version": "9.7.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "shuiboye@gmail.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.</p><p>This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.</p><p>Users are recommended to upgrade to version 10.4.0, which fixes the issue.</p>"}], "value": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-202", "description": "CWE-202 Exposure of Sensitive Information Through Data Queries", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-15T10:54:25.212Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-15T11:25:13.874Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:00:29.322586Z", "id": "CVE-2026-30778", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:05:25.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-15T11:25:13.874Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30778", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:00:29.322586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:00:25.331Z"}}], "cna": {"title": "Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "shuiboye@gmail.com"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache SkyWalking", "versions": [{"status": "affected", "version": "9.7.0", "versionType": "semver", "lessThanOrEqual": "10.3.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.</p><p>This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.</p><p>Users are recommended to upgrade to version 10.4.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-202", "description": "CWE-202 Exposure of Sensitive Information Through Data Queries"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-15T10:54:25.212Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30778", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:05:25.254Z", "dateReserved": "2026-03-05T01:06:13.446Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-15T10:54:25.212Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:skywalking:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F73C96E-106F-4394-A9CC-C8D7EBC0C8B6", "versionEndExcluding": "10.4.0", "versionStartIncluding": "9.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue."}], "id": "CVE-2026-30778", "lastModified": "2026-04-20T16:46:52.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T11:16:33.603", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-202"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.7.0,10.3.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache SkyWalking", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "skywalking", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-17T06:59:31.500708+00:00", "value": {"mitigation_remediation": ["Upgrade Apache SkyWalking to version 10.4.0 to apply the vendor fix.", "Disable the /debugging/config/dump endpoint or restrict its exposure behind authentication or network controls.", "Monitor logs for attempts to access the debugging endpoint and implement an alerting rule for repeated or unusual access attempts."], "summary": {"action": "Patch", "impact": "Sensitive configuration information disclosure"}, "threat_synthesis": {"affected_systems": "Apache SkyWalking versions 9.7.0 through 10.3.0 are affected. The vendor release 10.4.0 contains the fix and is the recommended version for all deployments.", "description_and_impact": "The Apache SkyWalking OAP /debugging/config/dump endpoint can expose sensitive database configuration details, including MySQL or PostgreSQL credentials, to an attacker. When accessed, the response contains configuration values that could be used to compromise the underlying database. The CWE indicates a privacy compromise due to inadequate data handling. The likely attack vector is limited to users who can reach the open endpoint and may require local or remote access if authentication or firewall controls are lax. Based on the description, it is inferred that unauthenticated or low\u2011privileged users could consume this data.", "risk_and_exploitability": "The CVSS score is 7.5, and the EPSS score is less than 1%, indicating that while the vulnerability poses a moderate-to-high severity risk, its exploitation likelihood is currently low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. While the endpoint can leak confidential data, an attacker must first reach the endpoint; the lack of public exploitation evidence suggests a moderate risk, yet any exposure of database credentials is severe for confidentiality. The highest rating comes from the potential for total loss of database integrity if those credentials could be used to modify or delete data."}}}}, "created": "2026-04-15T13:38:28.755100+00:00", "updated": "2026-04-17T07:00:08.571649+00:00", "vendors": ["apache", "apache$PRODUCT$skywalking"]}