← Back

CVE-2026-26010

nvd nist
Published: Feb 11, 2026Modified: Feb 13, 2026

JSON object

Loading...
7.6
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Exploitability: 2.8 / Impact: 4.7
Source: NVD

Description

OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). This vulnerability is fixed in 1.11.8.

Affected (1)

Open Metadata
1 product
Openmetadata
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Openmetadata
Before 1.11.8

Related CWEs

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

Source: security-advisories@github.com
ProductRelease Notes
Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.