CVE-2026-26010
Published: 11 February 2026
Summary
CVE-2026-26010 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Open-Metadata Openmetadata. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln directly leaks JWT application access tokens via API to low-priv users (T1528), enabling use of stolen tokens for auth (T1550.001) and privilege escalation from read-only to Ingestion Bot role (T1068).
NVD Description
OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account,…
more
typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). This vulnerability is fixed in 1.11.8.
Deeper analysisAI
CVE-2026-26010 is a vulnerability in OpenMetadata, a unified metadata platform, affecting versions prior to 1.11.8. It stems from UI calls to the /api/v1/ingestionPipelines endpoint that inadvertently leak JSON Web Tokens (JWTs) used by the ingestion-bot for specific services, including Glue, Redshift, and Postgres. This flaw, associated with CWE-269 (Improper Privilege Management), has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).
Any read-only user can exploit this vulnerability over the network with low complexity to capture the leaked JWTs, gaining access to a highly privileged account typically holding the Ingestion Bot Role. Successful exploitation enables destructive changes within OpenMetadata instances and potential data leakage, such as sample data or service metadata that would otherwise be restricted by roles and policies.
The vulnerability is addressed in OpenMetadata 1.11.8. Additional details on the fix and mitigation are available in the GitHub security advisory at https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r and the release notes at https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release.
Details
- CWE(s)