{"id":"CVE-2026-26010","summary":"Leaky JWTs in OpenMetadata exposing highly-privileged bot users","details":"OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). This vulnerability is fixed in 1.11.8.","aliases":["GHSA-pqqf-7hxm-rj5r"],"modified":"2026-04-02T13:18:52.699865Z","published":"2026-02-11T21:05:38.735Z","database_specific":{"cwe_ids":["CWE-269"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26010.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26010.json"},{"type":"ADVISORY","url":"https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26010"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-metadata/openmetadata","events":[{"introduced":"0"},{"fixed":"2a975bc6b28d24495dbde6d5e8e411e21bcbefb9"}]}],"versions":["0.10.0-release","0.10.1-release","0.10.2-release","0.10.3-release","0.10.4-release","0.11.0-release","0.11.1-release","0.11.2-release","0.11.3-release","0.11.4-release","0.11.5-release","0.12.0-release","0.12.1-release","0.12.2-preview","0.12.2-release","0.12.3-release","0.13.0-preview","0.13.0-release","0.13.1-release","0.13.2-beta-release","0.13.2-release","0.13.3-release","0.13.4-release","0.3.0-SNAPSHOT.pre","0.3.0-SNAPSHOT.pre2","0.3.0-release","0.3.0-release.pre-3","0.3.1-release","0.4.0","0.4.0-pre","0.5.0","0.6.0","0.7.0-release","0.7.0-release-draft","0.7.1-release","0.8.0-release","0.8.1-release","0.8.2-release","0.8.3-release","0.8.4-release","0.9.0-release","0.9.1-release","1.0.0-alpha-release","1.0.0-beta-release","1.0.0-release","1.0.1-release","1.0.2-release","1.0.3-release","1.0.4-release","1.0.5-release","1.1.0-beta-release","1.1.0-release","1.1.1-release","1.1.2-release","1.1.2.1-release","1.1.3-release","1.1.4-release","1.1.5-release","1.1.6-release","1.1.7-release","1.10.0-release","1.10.1-release","1.10.10-release","1.10.11-release","1.10.12-release","1.10.13-release","1.10.14-release","1.10.2-release","1.10.3-release","1.10.4-release","1.10.5-release","1.10.6-release","1.10.7-release","1.10.8-release","1.10.9-release","1.11.0-rc1-release","1.11.0-release","1.11.1-release","1.11.2-release","1.11.3-release","1.11.4-release","1.11.5-release","1.11.6-release","1.11.7-release","1.12.0-rc1-release","1.12.0-release","1.12.1-release","1.12.3-release","1.12.4-release","1.2.0-beta-release","1.2.0-release","1.2.1-release","1.2.2-release","1.2.3-release","1.2.4-release","1.2.5-release","1.3.0-beta-release","1.3.0-release","1.3.1-release","1.3.2-rc1-release","1.3.2-rc2-release","1.3.2-rc3-release","1.3.2-release","1.3.3-rc1","1.3.3-rc1-release","1.3.3-rc2-release","1.3.3-release","1.3.4-release","1.4.0-rc1-release","1.4.0-rc2-release","1.4.0-rc3-release","1.4.0-rc4-release","1.4.0-release","1.4.1-release","1.4.2-release","1.4.3-release","1.4.4-rc1-release","1.4.4-release","1.4.5-rc1-release","1.4.5-release","1.4.6-rc1-release","1.4.6-release","1.4.7-release","1.4.8-release","1.5.0-rc1-release","1.5.0-rc2-release","1.5.0-release","1.5.1-release","1.5.10-release","1.5.11-release","1.5.12-release","1.5.13-release","1.5.14-release","1.5.15-release","1.5.2-rc1-release","1.5.2-release","1.5.3-release","1.5.4-release","1.5.5-release","1.5.6-release","1.5.7-release","1.5.8-release","1.5.9-release","1.6.0-rc1-release","1.6.0-rc2-release","1.6.0-rc3-release","1.6.0-release","1.6.1-release","1.6.10-release","1.6.11-release","1.6.12-release","1.6.13-release","1.6.2-release","1.6.3-release","1.6.4-release","1.6.5-release","1.6.6-release","1.6.7-release","1.6.8-release","1.6.9-release","1.7.0-rc1-release","1.7.0-rc2-release","1.7.0-release","1.7.1-release","1.7.2-release","1.7.3-release","1.7.4-release","1.7.5-release","1.7.6-release","1.7.7-release","1.8.0-release","1.8.1-release","1.8.10-release","1.8.11-release","1.8.12-release","1.8.2-release","1.8.3-release","1.8.4-release","1.8.5-release","1.8.6-release","1.8.7-release","1.8.8-release","1.8.9-release","1.9.0-release","1.9.1-release","1.9.10-release","1.9.11-release","1.9.11.7-release","1.9.11.8-release","1.9.12-release","1.9.13-release","1.9.14-release","1.9.15-release","1.9.16-release","1.9.17-release","1.9.2-release","1.9.3-release","1.9.4-release","1.9.5-release","1.9.6-release","1.9.7-release","1.9.8-release","1.9.9-release","v1.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26010.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L"}]}