OpenMetadata's Open Kimono: CVE-2026-26010 Leaks the Keys to the Kingdom
Vulnerability ID: CVE-2026-26010
CVSS Score: 7.6
Published: 2026-02-11
A critical information disclosure vulnerability in OpenMetadata's REST API allowed authenticated users with minimal privileges to retrieve the raw JWT tokens of the highly privileged 'ingestion-bot'. This flaw, present in versions prior to 1.11.8, stemmed from excessive data exposure in API responses, enabling a trivial privilege escalation path from read-only access to full administrative control over the metadata platform.
TL;DR
OpenMetadata < 1.11.8 leaked the ingestion-bot admin token in plain JSON API responses. Any logged-in user could grab it and take over the system. Fixed in 1.11.8 by nullifying credentials in standard API calls.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-213
- Attack Vector: Network (API)
- CVSS: 7.6 (High)
- Privileges Required: Low (Authenticated)
- Impact: Privilege Escalation / Info Disclosure
- Exploit Status: Trivial / PoC Available
Affected Systems
- OpenMetadata Server
-
OpenMetadata: < 1.11.8 (Fixed in:
1.11.8)
Code Analysis
Commit: 1c05bf4
Fixed security issue by masking OpenMetadataServerConnection in IngestionPipelineResource
ingestionPipeline.setOpenMetadataServerConnection(null);
Exploit Details
- Manual: Manual reconstruction via API introspection
Mitigation Strategies
- Minimize Data Exposure
- Principle of Least Privilege
- Token Rotation
Remediation Steps:
- Upgrade OpenMetadata to version 1.11.8 immediately.
- Regenerate/Rotate the JWT for the 'ingestion-bot' service account.
- Review access logs for any anomalous actions performed by the ingestion-bot identity prior to the patch.
References
Read the full report for CVE-2026-26010 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)