Vulnerabilities ›

CVE-2026-26010

High ⚡ Exploit Available

CWE-269 — Weakness Type

                    Published: Feb 11, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.6

🔗 NVD Official

📄 Description (English)

OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). This vulnerability is fixed in 1.11.8.

🤖 AI Executive Summary

OpenMetadata versions prior to 1.11.8 expose JWT tokens for the ingestion-bot service through API endpoints, allowing any read-only user to escalate privileges to a highly privileged account. This vulnerability enables unauthorized access to metadata systems, potential data exfiltration, and destructive changes to OpenMetadata instances. With exploit availability and high CVSS score (7.6), immediate patching is critical for organizations using OpenMetadata in production environments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 22:51

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations leveraging OpenMetadata for data governance and metadata management—particularly in banking (SAMA-regulated institutions), government agencies (NCA oversight), healthcare systems, and energy sector (ARAMCO, downstream operators)—face significant risk. The vulnerability allows privilege escalation from read-only users to ingestion-bot accounts with access to sensitive metadata, database credentials, and data lineage information. This directly impacts data protection compliance under NCA ECC 2024 and SAMA CSF requirements. Telecom operators (STC, Mobily) using OpenMetadata for network metadata management are also at risk of unauthorized access to infrastructure metadata.

🏢 Affected Saudi Sectors

Banking & Financial Services Government & Public Administration Healthcare & Medical Services Energy & Utilities Telecommunications Data Analytics & Business Intelligence Enterprise Software & IT Services

🎯 MITRE ATT&CK Techniques

T1110 - Brute Force T1187 - Forced Authentication T1556 - Modify Authentication Process T1556.004 - Modify Authentication Process: API Tokens T1078 - Valid Accounts T1078.001 - Valid Accounts: Default Accounts T1528 - Steal Application Access Token T1550 - Use Alternate Authentication Material T1550.001 - Use Alternate Authentication Material: Application Access Token T1526 - Reconnaissance: Cloud Service Discovery T1526.007 - Reconnaissance: Cloud Service Discovery: Enumerate Cloud Resources

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all OpenMetadata instances in your environment and document their versions

2. Restrict network access to /api/v1/ingestionPipelines endpoint using WAF or API gateway rules

3. Review access logs for suspicious API calls to ingestionPipelines endpoints from read-only user accounts

4. Rotate all JWT tokens and service account credentials immediately

5. Audit all ingestion-bot account activities for unauthorized changes

PATCHING GUIDANCE:

1. Upgrade OpenMetadata to version 1.11.8 or later immediately

2. Test patches in non-production environments first

3. Plan maintenance window with minimal business impact

4. Verify ingestion pipelines function correctly post-upgrade

COMPENSATING CONTROLS (if immediate patching not possible):

1. Implement strict RBAC—remove read-only user access to /api/v1/ingestionPipelines

2. Deploy API rate limiting and anomaly detection on metadata endpoints

3. Enable comprehensive API logging and monitoring for JWT exposure attempts

4. Implement network segmentation isolating OpenMetadata from untrusted networks

5. Use API gateway to enforce mutual TLS and token validation

DETECTION RULES:

1. Monitor for GET/POST requests to /api/v1/ingestionPipelines from non-admin accounts

2. Alert on JWT tokens appearing in API responses or logs

3. Track privilege escalation attempts using captured tokens

4. Monitor ingestion-bot account for unusual activities (metadata deletions, credential access)

5. Log all API responses containing 'token', 'jwt', or 'authorization' fields

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات OpenMetadata في بيئتك وتوثيق إصداراتها

2. قيّد الوصول إلى نقطة نهاية /api/v1/ingestionPipelines باستخدام قواعد WAF أو بوابة API

3. راجع سجلات الوصول للاتصالات المريبة بـ API من حسابات المستخدمين بصلاحيات القراءة فقط

4. أعد تعيين جميع رموز JWT وبيانات اعتماد حسابات الخدمة فوراً

5. تدقيق جميع أنشطة حساب ingestion-bot للتغييرات غير المصرح بها

إرشادات التصحيح:

1. ترقية OpenMetadata إلى الإصدار 1.11.8 أو أحدث فوراً

2. اختبر التصحيحات في بيئات غير الإنتاج أولاً

3. خطط نافذة الصيانة بأقل تأثير على الأعمال

4. تحقق من عمل خطوط الإدخال بشكل صحيح بعد الترقية

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تطبيق RBAC صارم—إزالة وصول المستخدمين بصلاحيات القراءة فقط إلى /api/v1/ingestionPipelines

2. نشر تحديد معدل API والكشف عن الشذوذ على نقاط نهاية البيانات الوصفية

3. تفعيل السجلات الشاملة والمراقبة لمحاولات تعريض JWT

4. تطبيق تقسيم الشبكة لعزل OpenMetadata عن الشبكات غير الموثوقة

5. استخدم بوابة API لفرض TLS المتبادل والتحقق من الرموز

قواعد الكشف:

1. مراقبة طلبات GET/POST إلى /api/v1/ingestionPipelines من حسابات غير المسؤولين

2. تنبيهات على رموز JWT التي تظهر في استجابات API أو السجلات

3. تتبع محاولات تصعيد الامتيازات باستخدام الرموز المستخرجة

4. مراقبة حساب ingestion-bot للأنشطة غير العادية (حذف البيانات الوصفية، الوصول إلى بيانات الاعتماد)

5. تسجيل جميع استجابات API التي تحتوي على حقول 'token' أو 'jwt' أو 'authorization'

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 - Access Control and Authentication 5.2.1 - User Access Management 5.3.1 - Privileged Access Management 6.1.1 - Audit Logging and Monitoring 6.2.1 - Security Event Logging

🔵 SAMA CSF

Governance & Risk Management - Access Control Information & Cybersecurity - Identity & Access Management Information & Cybersecurity - Logging & Monitoring Resilience - Incident Detection & Response

🟡 ISO 27001:2022

A.5.2 - User Registration and De-registration A.5.3 - User Access Provisioning A.6.2 - Access to Networks and Network Services A.8.2 - Information Security Awareness A.9.2 - User Access Management A.9.4 - Access Control A.12.4 - Logging

🟣 PCI DSS v4.0.1

Requirement 2 - Default Security Parameters Requirement 6 - Secure Development Requirement 7 - Restrict Access to Data Requirement 8 - User Identification and Authentication Requirement 10 - Logging and Monitoring

🔗 References & Sources 2

🔗

https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release

security-advisories@github.com

Product Release Notes

🔗

https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r

security-advisories@github.com

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

open-metadata:openmetadata

📊 CVSS Score

7.6

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityH — High

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score7.6

CWECWE-269

EPSS0.01%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-02-11

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-269

🏢 Vendor Advisories

🔗 https://github.com/open-metadata/OpenMetadata/securi...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-26010

💬 Comments

Introduce Yourself

Sign In Required