Platform
java
Component
org.open-metadata:openmetadata-sdk
Fixed in
1.11.9
1.11.8
CVE-2026-26010 is a security vulnerability affecting the OpenMetadata SDK. This flaw allows unauthorized users to leak JWT tokens used by ingestion bots, potentially granting access to highly privileged accounts. The vulnerability impacts versions of the OpenMetadata SDK up to and including 1.11.7, and a fix is available in version 1.11.8.
The primary impact of CVE-2026-26010 is the exposure of JWT tokens used by the OpenMetadata ingestion bot. These tokens typically grant elevated privileges, often associated with roles like 'Ingestion Bot'. An attacker who successfully extracts a JWT can leverage it to perform destructive actions within the OpenMetadata instance, including modifying metadata, deleting pipelines, and potentially exfiltrating sensitive data. The description specifically mentions sample data and service metadata as potential targets. This vulnerability is particularly concerning as it allows a read-only user to gain significant control, bypassing standard access controls and potentially leading to a complete compromise of the OpenMetadata environment. The ability to extract these tokens from the /api/v1/ingestionPipelines endpoint highlights a design flaw in how the API handles authentication and authorization.
CVE-2026-26010 was publicly disclosed on 2026-02-11. A proof-of-concept (PoC) demonstrating the JWT leakage is publicly available, increasing the likelihood of exploitation. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium to high probability of exploitation. As of this writing, there is no indication of active exploitation campaigns, but the public PoC makes it a high-priority vulnerability to address.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26010 is to upgrade to OpenMetadata SDK version 1.11.8 or later, which addresses the JWT leakage vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restricting access to the /api/v1/ingestionPipelines endpoint to authorized users only can limit the potential for JWT extraction. Review and strengthen the permissions associated with the 'Ingestion Bot' role to minimize the impact of a compromised token. Monitoring API access logs for unusual activity, particularly requests to the vulnerable endpoint, can provide early detection of potential exploitation. After upgrading, confirm the fix by attempting to access the /api/v1/ingestionPipelines endpoint with a read-only user account and verifying that JWT tokens are no longer exposed.
Update OpenMetadata to version 1.11.8 or higher. This version fixes the vulnerability that allows unauthorized users to access privileged accounts through JWT leakage.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26010 is a HIGH severity vulnerability in OpenMetadata SDK versions ≤1.11.7 that allows read-only users to extract JWT tokens used by ingestion bots, potentially granting unauthorized access.
If you are using OpenMetadata SDK versions 1.11.7 or earlier, you are potentially affected by this vulnerability. Assess your environment and prioritize upgrading.
Upgrade to OpenMetadata SDK version 1.11.8 or later to remediate the JWT leakage vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While there is no confirmed active exploitation, a public proof-of-concept exists, increasing the risk of exploitation. Proactive mitigation is recommended.
Refer to the official OpenMetadata security advisory for detailed information and updates regarding CVE-2026-26010: [https://github.com/open-metadata/openmetadata/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.