CVE-2024-28255 – CVE-2024-28255 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2024-28255?

CVE-2024-28255 has a CVSS score of 9.8 (CRITICAL). CVE-2024-28255 is an authentication bypass vulnerability in OpenMetadata's JWT filter that allows attackers to access protected endpoints without valid credentials by manipulating path parameters. This affects all OpenMetadata deployments using versions before 1.2.4. Successful exploitation can lead to unauthorized access and potential remote code execution via SpEL injection.

📋 TL;DR

CVE-2024-28255 is an authentication bypass vulnerability in OpenMetadata's JWT filter that allows attackers to access protected endpoints without valid credentials by manipulating path parameters. This affects all OpenMetadata deployments using versions before 1.2.4. Successful exploitation can lead to unauthorized access and potential remote code execution via SpEL injection.

💻 Affected Systems

Products:

OpenMetadata

Versions: All versions before 1.2.4

Operating Systems: All platforms running OpenMetadata

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability exists in the JWT filter's path exclusion logic.

📦 What is this software?

Openmetadata by Open Metadata

View all CVEs affecting Openmetadata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via authentication bypass leading to arbitrary SpEL expression injection and remote code execution, potentially allowing full control over the OpenMetadata instance and underlying infrastructure.

🟠

Likely Case

Unauthorized access to sensitive metadata, configuration data, and administrative functions, potentially leading to data exfiltration, privilege escalation, or service disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only exposing non-sensitive endpoints or causing authentication errors.

🌐 Internet-Facing: HIGH - Internet-facing OpenMetadata instances are directly exploitable without authentication, making them prime targets for attackers.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or attackers who have gained initial network access through other means.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit by crafting URLs with path parameters that match excluded endpoints. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.4

Vendor Advisory: https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84

Restart Required: Yes

Instructions:

1. Backup your OpenMetadata configuration and data. 2. Stop the OpenMetadata service. 3. Upgrade to version 1.2.4 or later using your deployment method (Docker, Kubernetes, or direct installation). 4. Restart the service. 5. Verify the fix by testing authentication requirements.

🔧 Temporary Workarounds

No official workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Implement strict network access controls to limit OpenMetadata access to trusted IP addresses only
Deploy a web application firewall (WAF) with rules to detect and block path parameter manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check if your OpenMetadata version is below 1.2.4. Attempt to access a protected endpoint using a crafted URL with path parameters that might bypass authentication.

Check Version:

Check the OpenMetadata UI dashboard or API endpoint for version information, or examine deployment manifests/configuration files.

Verify Fix Applied:

After upgrading to 1.2.4 or later, verify that authentication is required for all protected endpoints and that path parameter manipulation no longer bypasses authentication.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication bypass patterns in access logs
Requests with semicolons or encoded slashes in URLs
Access to protected endpoints without authentication tokens

Network Indicators:

HTTP requests containing ;v1%2fusers%2flogin in the path
Unauthenticated requests to normally protected API endpoints

SIEM Query:

source="openmetadata" AND (url="*;*" OR status_code=200 AND auth_token=null AND url!="/api/v1/users/login")

📊 Metadata

CVE ID: CVE-2024-28255

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 15, 2024

Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28255, you might also want to check these: