CVE-2026-26010
Last modified
CVE-2026-26010 is a high-severity vulnerability rated 7.6/10 on the CVSS scale. OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). This vulnerability is fixed in 1.11.8.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Open-Metadata | Openmetadata | < 1.11.8 |
References
- https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-releaseProduct, Release Notes
- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5rExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-26010?
How severe is CVE-2026-26010?
How do I fix CVE-2026-26010?
Are you affected by CVE-2026-26010?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST