Apache SkyWalking security advisories

Security information for Apache SkyWalking

Reporting

Do you want disclose a potential security issue for Apache SkyWalking? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Server-Side Request Forgery via SW-URL Header in MCP Server

CVE-2026-34476 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-13T13:00:58.883Z

Affected

  • Apache SkyWalking MCP at 0.1.0

Description

Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.

This issue affects Apache SkyWalking MCP: 0.1.0.

Users are recommended to upgrade to version 0.2.0, which fixes this issue.

References

Credits

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

CVE-2026-30778 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-15T10:54:23.696Z

Affected

  • Apache SkyWalking from 9.7.0 through 10.3.0

Description

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.

Users are recommended to upgrade to version 10.4.0, which fixes the issue.

References

Credits

Stored XSS vulnerability

CVE-2025-54057 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-13T12:24:00.847Z

Affected

  • Apache SkyWalking through 10.2.0

Description

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.

This issue affects Apache SkyWalking: <= 10.2.0.

Users are recommended to upgrade to version 10.3.0, which fixes the issue.

References

Credits

Service unavailability impact in NodeJS agent(version <= 0.5.0)

CVE-2022-36127 [CVE] [CVE json] [OSV json]

Last updated: 2022-07-18T11:24:38.575Z

Affected

  • Apache SkyWalking NodeJS Agent from Apache SkyWalking NodeJS Agent through 0.5.0

Description

A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can’t establish the connection.

References