Plattform
java
Komponente
org.open-metadata:openmetadata-sdk
Behoben in
1.11.9
1.11.8
CVE-2026-26010 is a security vulnerability affecting the OpenMetadata SDK. This flaw allows unauthorized users to leak JWT tokens used by ingestion bots, potentially granting access to highly privileged accounts. The vulnerability impacts versions of the OpenMetadata SDK up to and including 1.11.7, and a fix is available in version 1.11.8.
The primary impact of CVE-2026-26010 is the unauthorized access to highly privileged accounts, typically those associated with the Ingestion Bot Role. An attacker who successfully extracts a JWT can leverage this access to perform destructive changes within the OpenMetadata instance. This includes modifying metadata, deleting critical data, and potentially exfiltrating sensitive information such as sample data or service metadata that would otherwise be restricted by role-based access controls. The potential blast radius extends to any data managed by OpenMetadata, particularly those services integrated via ingestion pipelines like Glue, Redshift, and Postgres. The ease of exploitation, requiring only a read-only user account, significantly increases the risk.
CVE-2026-26010 was publicly disclosed on 2026-02-11. A proof-of-concept (PoC) demonstrating the JWT extraction has been published, indicating a relatively low barrier to entry for exploitation. The vulnerability is not currently listed on CISA KEV, and there are no confirmed reports of active exploitation at the time of this writing. The ease of exploitation and the potential for significant impact warrant close monitoring and prompt remediation.
Organizations utilizing OpenMetadata for data governance and metadata management are at risk. Specifically, deployments with read-only user accounts that have access to the /api/v1/ingestionPipelines endpoint are particularly vulnerable. Environments relying on the 'Ingestion Bot' role for automated data ingestion processes are also at heightened risk, as a compromised JWT could disrupt these critical workflows.
• java / server: Monitor OpenMetadata access logs for requests to /api/v1/ingestionPipelines originating from read-only user accounts. Look for unusual patterns or large numbers of requests.
• generic web: Use curl to test the /api/v1/ingestionPipelines endpoint with a read-only user's credentials and examine the response headers for JWT tokens.
curl -H "Authorization: Bearer <read_only_jwt>" https://<openmetadata_url>/api/v1/ingestionPipelinesdisclosure
poc
patch
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-26010 is to upgrade to OpenMetadata SDK version 1.11.8 or later, which addresses the JWT leakage vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the /api/v1/ingestionPipelines endpoint to authorized users only. Implement stricter JWT validation and rotation policies to minimize the impact of a compromised token. Monitor API logs for suspicious activity, specifically focusing on requests originating from unauthorized users. After upgrading, confirm the fix by attempting to access the /api/v1/ingestionPipelines endpoint with a read-only user account and verifying that JWTs are no longer exposed.
Aktualisieren Sie OpenMetadata auf Version 1.11.8 oder höher. Diese Version behebt die Schwachstelle, die es nicht autorisierten Benutzern ermöglicht, auf Konten mit erhöhten Privilegien über die Leckage von JWTs zuzugreifen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-26010 is a HIGH severity vulnerability in OpenMetadata SDK versions ≤1.11.7 that allows read-only users to extract JWT tokens used by ingestion bots, potentially granting unauthorized access.
If you are using OpenMetadata SDK versions 1.11.7 or earlier, you are potentially affected by this vulnerability. Assess your environment and prioritize upgrading.
Upgrade to OpenMetadata SDK version 1.11.8 or later to remediate the JWT leakage vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While there is no confirmed active exploitation, a public proof-of-concept exists, increasing the risk of exploitation. Proactive mitigation is recommended.
Refer to the official OpenMetadata security advisory for detailed information and updates regarding CVE-2026-26010: [https://github.com/open-metadata/openmetadata/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.