GHSA-PQQF-7HXM-RJ5R

Vulnerability from github – Published: 2026-02-11 14:23 – Updated: 2026-02-18 23:30
VLAI?
Summary
Leaky JWTs in OpenMetadata exposing highly-privileged bot users
Details

Summary

Calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres)

Details

Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies).

PoC

I was able to extract the JWT used by the bot/agent populating sample_athena.default in the Collate Sandbox. To prove this out, I mutated the description to this UUID: fe2e4cc1-da72-4acf-8535-112a3cfa9c7e, which you can see @ https://sandbox.open-metadata.org/database/sample_athena.default.

Steps to Reproduce

  • Create a Collate Sandbox account; these are non-admin accounts by default with minimal permissions.
  • Open the Developer Console
  • Go to the Services Page. In this case, sample_athena, though other services

  • In the Network tab, introspect the request made to api/v1/services/ingestionPipelines, and find the jwtToken in the response: image

  • Use the JWT to issue (potentially destructive) API calls image

  • Resulting mutated description: image

Note that this is also the case for these services, among others: * acme_nexus_redshift * sample_postgres

Proposed Remediation

Redact jwtToken in API payload. Implement role-based filtering - Only return JWT tokens to users with explicit admin/service account permissions (for Admins) Rotate Ingestion Bot Tokens in affected environments

Impact

What kind of vulnerability is it? Who is impacted?

  • Vulnerability Type: Privilege Escalation
  • Risk: User impersonation, even for those with read-only access, can lead to destructive outcomes if malicious actors leverage the leaked JWT.
Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.open-metadata:openmetadata-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-11T14:23:02Z",
    "nvd_published_at": "2026-02-11T21:16:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nCalls issued by the UI against `/api/v1/ingestionPipelines` leak JWTs used by `ingestion-bot` for certain services (Glue / Redshift / Postgres)\n\n### Details\nAny read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). \n\n\n### PoC\nI was able to extract the JWT used by the bot/agent populating [sample_athena.default](https://sandbox.open-metadata.org/database/sample_athena.default) in the Collate Sandbox. To prove this out, I mutated the description to this UUID: `fe2e4cc1-da72-4acf-8535-112a3cfa9c7e,` which you can see  @ https://sandbox.open-metadata.org/database/sample_athena.default.\n\n#### Steps to Reproduce\n\n* Create a Collate Sandbox account; these are non-admin accounts by default with minimal permissions.\n* Open the Developer Console\n* Go to the Services Page. In this case, [sample_athena](https://sandbox.open-metadata.org/service/databaseServices/sample_athena?showDeletedTables=false\u0026currentPage=1), though other services \n* In the Network tab, introspect the request made to api/v1/services/ingestionPipelines, and find the jwtToken in the response:\n\u003cimg width=\"1329\" height=\"299\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0c405776-159e-4188-9591-ed8cc71bc596\" /\u003e\n\n* Use the JWT to issue (potentially destructive) API calls\n\u003cimg width=\"3024\" height=\"1798\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ab40b528-4d2b-404b-8f8a-482a1693e179\" /\u003e\n\n* Resulting mutated description:\n\u003cimg width=\"622\" height=\"399\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3fa630ff-93b5-4b7d-8e3c-220f8a84a23a\" /\u003e\n\nNote that this is also the case for these services, among others:\n* [acme_nexus_redshift](https://sandbox.open-metadata.org/service/databaseServices/acme_nexus_redshift) \n* [sample_postgres](https://sandbox.open-metadata.org/service/databaseServices/sample_postgres)\n\n### Proposed Remediation\nRedact jwtToken in API payload.\nImplement role-based filtering - Only return JWT tokens to users with explicit admin/service account permissions\n(for Admins) Rotate Ingestion Bot Tokens in affected environments\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n* Vulnerability Type: Privilege Escalation\n* Risk: User impersonation, even for those with read-only access, can lead to destructive outcomes if malicious actors leverage the leaked JWT.",
  "id": "GHSA-pqqf-7hxm-rj5r",
  "modified": "2026-02-18T23:30:21Z",
  "published": "2026-02-11T14:23:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26010"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-metadata/OpenMetadata"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Leaky JWTs in OpenMetadata exposing highly-privileged bot users"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.