Apache SkyWalking security advisories
Security information for Apache SkyWalking
Reporting
Do you want disclose a potential security issue for Apache SkyWalking? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Server-Side Request Forgery via SW-URL Header in MCP Server
CVE-2026-34476 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-13T13:00:58.883Z
Affected
- Apache SkyWalking MCP at 0.1.0
Description
This issue affects Apache SkyWalking MCP: 0.1.0.
Users are recommended to upgrade to version 0.2.0, which fixes this issue.References
Credits
- Andrea Cosentino ancosen@gmail.com (reporter)
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
CVE-2026-30778 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-15T10:54:23.696Z
Affected
- Apache SkyWalking from 9.7.0 through 10.3.0
Description
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.
Users are recommended to upgrade to version 10.4.0, which fixes the issue.
References
Credits
- shuiboye@gmail.com (reporter)
Stored XSS vulnerability
CVE-2025-54057 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-13T12:24:00.847Z
Affected
- Apache SkyWalking through 10.2.0
Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.
This issue affects Apache SkyWalking: <= 10.2.0.
Users are recommended to upgrade to version 10.3.0, which fixes the issue.
References
Credits
- Vinh Nguyễn Quang (vinhnq4902@gmail.com) (reporter)
Service unavailability impact in NodeJS agent(version <= 0.5.0)
CVE-2022-36127 [CVE] [CVE json] [OSV json]
Last updated: 2022-07-18T11:24:38.575Z
Affected
- Apache SkyWalking NodeJS Agent from Apache SkyWalking NodeJS Agent through 0.5.0
Description
A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can’t establish the connection.