CVE-2024-28253 – This vulnerability in OpenMetadata allows remot... (How to Fix)

Q: What is the severity of CVE-2024-28253?

CVE-2024-28253 has a CVSS score of 9.4 (CRITICAL). This vulnerability in OpenMetadata allows remote attackers to execute arbitrary code by exploiting a Spring Expression Language (SpEL) injection flaw. Attackers can send crafted PUT requests to the policies API endpoint, bypassing authorization checks that occur after the vulnerable code executes. All OpenMetadata instances running vulnerable versions are affected.

📋 TL;DR

This vulnerability in OpenMetadata allows remote attackers to execute arbitrary code by exploiting a Spring Expression Language (SpEL) injection flaw. Attackers can send crafted PUT requests to the policies API endpoint, bypassing authorization checks that occur after the vulnerable code executes. All OpenMetadata instances running vulnerable versions are affected.

💻 Affected Systems

Products:

OpenMetadata

Versions: All versions before 1.3.1

Operating Systems: All platforms running OpenMetadata

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in default configurations and requires no special setup to be exploitable.

📦 What is this software?

Openmetadata by Open Metadata

View all CVEs affecting Openmetadata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with complete control over the OpenMetadata server, allowing data theft, service disruption, and lateral movement to connected systems.

🟠

Likely Case

Remote code execution leading to metadata manipulation, data exfiltration, and potential privilege escalation within the OpenMetadata environment.

🟢

If Mitigated

Limited impact if network segmentation restricts access, but successful exploitation still compromises the OpenMetadata instance.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via HTTP PUT requests, making internet-facing instances particularly vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to authenticated or network-accessible attackers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires sending a crafted PUT request to /api/v1/policies. While authentication may be required, the authorization check occurs after the vulnerable code executes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1

Vendor Advisory: https://github.com/open-metadata/OpenMetadata/security/advisories

Restart Required: Yes

Instructions:

1. Backup your OpenMetadata configuration and data. 2. Stop the OpenMetadata service. 3. Update to version 1.3.1 or later using your deployment method (Docker, Kubernetes, or direct installation). 4. Restart the service. 5. Verify the update was successful.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Restrict network access to OpenMetadata instances using firewalls or network segmentation
Implement web application firewall (WAF) rules to block suspicious PUT requests to /api/v1/policies

🔍 How to Verify

Check if Vulnerable:

Check if your OpenMetadata version is below 1.3.1 by accessing the UI or API and reviewing the version information.

Check Version:

curl -X GET http://your-openmetadata-server:8585/api/v1/system/version

Verify Fix Applied:

Confirm the OpenMetadata version is 1.3.1 or higher and test that PUT requests to /api/v1/policies with SpEL payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual PUT requests to /api/v1/policies endpoint
SpEL expression patterns in request logs
Unexpected process execution from OpenMetadata service

Network Indicators:

PUT requests to /api/v1/policies containing SpEL syntax like T(java.lang.Runtime)
Outbound connections from OpenMetadata server to unexpected destinations

SIEM Query:

source="openmetadata" AND (uri_path="/api/v1/policies" AND http_method="PUT" AND (request_body="*T(*" OR request_body="*Runtime*" OR request_body="*getRuntime*"))

📊 Metadata

CVE ID: CVE-2024-28253

CVSS v3 Score: 9.4 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-94

Published: March 15, 2024

Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28253, you might also want to check these: