CVE-2026-30778 - Vulnerability Details - OpenCVE

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.

Users are recommended to upgrade to version 10.4.0, which fixes the issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache Subscribe	Skywalking Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Apache Subscribe	Skywalking Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3

History

Wed, 15 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache skywalking
Vendors & Products		Apache Apache skywalking

Wed, 15 Apr 2026 11:00:00 +0000

Type	Values Removed	Values Added
Description		The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.
Title		Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
Weaknesses		CWE-202
References		https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-15T10:54:25.212Z

Updated: 2026-04-15T11:25:13.874Z

Reserved: 2026-03-05T01:06:13.446Z

Link: CVE-2026-30778

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T13:48:23Z

Weaknesses

CWE-202

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30778", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-05T01:06:13.446Z", "datePublished": "2026-04-15T10:54:25.212Z", "dateUpdated": "2026-04-15T11:25:13.874Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache SkyWalking", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "10.3.0", "status": "affected", "version": "9.7.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "shuiboye@gmail.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.</p><p>This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.</p><p>Users are recommended to upgrade to version 10.4.0, which fixes the issue.</p>"}], "value": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-202", "description": "CWE-202 Exposure of Sensitive Information Through Data Queries", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-15T10:54:25.212Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-15T11:25:13.874Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.7.0,10.3.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache SkyWalking", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "skywalking", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-15T12:51:07.685449+00:00", "value": {"mitigation_remediation": ["Upgrade Apache SkyWalking to version 10.4.0 to apply the vendor fix.", "Disable the /debugging/config/dump endpoint or restrict its exposure behind authentication or network controls.", "Monitor logs for attempts to access the debugging endpoint and implement an alerting rule for repeated or unusual access attempts."], "summary": {"action": "Patch", "impact": "Sensitive configuration information disclosure"}, "threat_synthesis": {"affected_systems": "Apache SkyWalking versions 9.7.0 through 10.3.0 are affected. The vendor release 10.4.0 contains the fix and is the recommended version for all deployments.", "description_and_impact": "The Apache SkyWalking OAP /debugging/config/dump endpoint can expose sensitive database configuration details, including MySQL or PostgreSQL credentials, to an attacker. When accessed, the response contains configuration values that could be used to compromise the underlying database. The CWE indicates a privacy compromise due to inadequate data handling. The likely attack vector is limited to users who can reach the open endpoint and may require local or remote access if authentication or firewall controls are lax. Based on the description, it is inferred that unauthenticated or low\u2011privileged users could consume this data.", "risk_and_exploitability": "The CVSS score is not provided and no Exploit Prediction Scoring System score is available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. While the endpoint can leak confidential data, an attacker must first reach the endpoint; the lack of public exploitation evidence suggests a moderate risk, yet any exposure of database credentials is severe for confidentiality. The highest rating comes from the potential for total loss of database integrity if those credentials are used to modify or delete data."}}}}, "created": "2026-04-15T13:38:28.755100+00:00", "updated": "2026-04-15T13:48:23.606263+00:00", "vendors": ["apache", "apache$PRODUCT$skywalking"]}