Plateforme
java
Composant
org.open-metadata:openmetadata-sdk
Corrigé dans
1.11.9
1.11.8
CVE-2026-26010 is a security vulnerability affecting the OpenMetadata SDK. This flaw allows unauthorized users to leak JWT tokens used by ingestion bots, potentially granting access to highly privileged accounts. The vulnerability impacts versions of the OpenMetadata SDK up to and including 1.11.7, and a fix is available in version 1.11.8.
The primary impact of CVE-2026-26010 is the exposure of JWT tokens used by the OpenMetadata ingestion bot. These tokens typically grant elevated privileges, often associated with roles like 'Ingestion Bot'. An attacker who successfully extracts a JWT can leverage it to perform destructive actions within the OpenMetadata instance, including modifying metadata, deleting pipelines, and potentially exfiltrating sensitive data. The description specifically mentions sample data and service metadata as potential targets. This vulnerability is particularly concerning as it allows a read-only user to gain significant control, bypassing standard access controls and potentially leading to a complete compromise of the OpenMetadata environment. The ability to extract these tokens from the /api/v1/ingestionPipelines endpoint highlights a design flaw in how the API handles authentication and authorization.
CVE-2026-26010 was publicly disclosed on 2026-02-11. A proof-of-concept (PoC) demonstrating the JWT leakage is publicly available, increasing the likelihood of exploitation. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium to high probability of exploitation. As of this writing, there is no indication of active exploitation campaigns, but the public PoC makes it a high-priority vulnerability to address.
Organizations utilizing OpenMetadata for data governance and metadata management are at risk. Specifically, deployments with read-only user accounts that have access to the /api/v1/ingestionPipelines endpoint are particularly vulnerable. Environments relying on the 'Ingestion Bot' role for automated data ingestion processes are also at heightened risk, as a compromised JWT could disrupt these critical workflows.
• java / server: Monitor OpenMetadata access logs for requests to /api/v1/ingestionPipelines originating from read-only user accounts. Look for unusual patterns or large numbers of requests.
• generic web: Use curl to test the /api/v1/ingestionPipelines endpoint with a read-only user's credentials and examine the response headers for JWT tokens.
curl -H "Authorization: Bearer <read_only_jwt>" https://<openmetadata_url>/api/v1/ingestionPipelinesdisclosure
poc
patch
Statut de l'Exploit
EPSS
0.01% (percentile 3%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-26010 is to upgrade to OpenMetadata SDK version 1.11.8 or later, which addresses the JWT leakage vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restricting access to the /api/v1/ingestionPipelines endpoint to authorized users only can limit the potential for JWT extraction. Review and strengthen the permissions associated with the 'Ingestion Bot' role to minimize the impact of a compromised token. Monitoring API access logs for unusual activity, particularly requests to the vulnerable endpoint, can provide early detection of potential exploitation. After upgrading, confirm the fix by attempting to access the /api/v1/ingestionPipelines endpoint with a read-only user account and verifying that JWT tokens are no longer exposed.
Actualice OpenMetadata a la versión 1.11.8 o superior. Esta versión corrige la vulnerabilidad que permite a usuarios no autorizados acceder a cuentas con privilegios elevados a través de la fuga de JWTs.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-26010 is a HIGH severity vulnerability in OpenMetadata SDK versions ≤1.11.7 that allows read-only users to extract JWT tokens used by ingestion bots, potentially granting unauthorized access.
If you are using OpenMetadata SDK versions 1.11.7 or earlier, you are potentially affected by this vulnerability. Assess your environment and prioritize upgrading.
Upgrade to OpenMetadata SDK version 1.11.8 or later to remediate the JWT leakage vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While there is no confirmed active exploitation, a public proof-of-concept exists, increasing the risk of exploitation. Proactive mitigation is recommended.
Refer to the official OpenMetadata security advisory for detailed information and updates regarding CVE-2026-26010: [https://github.com/open-metadata/openmetadata/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.