7.6

CVE-2026-26010

Exploit

EPSS 0.33%
Veröffentlicht 11.02.2026 21:16:21
Zuletzt bearbeitet 13.02.2026 21:34:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Leaky JWTs in OpenMetadata exposing highly-privileged bot users

OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). This vulnerability is fixed in 1.11.8.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Open-metadata ≫ Openmetadata Version < 1.11.8

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.247

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.6	2.8	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
security-advisories@github.com	7.6	2.8	4.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release

Product

Release Notes

https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-26010

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-26010

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-26010

EUVD