CVE-2025-50467 – OpenMetadata versions up to 1.4.4 contain a SQL... (How to Fix)

Q: What is the severity of CVE-2025-50467?

CVE-2025-50467 has a CVSS score of 6.5 (MEDIUM). OpenMetadata versions up to 1.4.4 contain a SQL injection vulnerability in the TestDefinitionDAO interface. Attackers can exploit the supportedDataTypeParam parameter in the listCount function to extract sensitive database information. This affects all deployments running vulnerable versions of OpenMetadata.

📋 TL;DR

OpenMetadata versions up to 1.4.4 contain a SQL injection vulnerability in the TestDefinitionDAO interface. Attackers can exploit the supportedDataTypeParam parameter in the listCount function to extract sensitive database information. This affects all deployments running vulnerable versions of OpenMetadata.

💻 Affected Systems

Products:

OpenMetadata

Versions: <=1.4.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Openmetadata by Open Metadata

View all CVEs affecting Openmetadata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including extraction of sensitive metadata, user credentials, and configuration data, potentially leading to complete system takeover.

🟠

Likely Case

Unauthorized data extraction from the OpenMetadata database, exposing metadata about data assets, user information, and system configurations.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only exposing non-sensitive metadata.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of the API endpoint and parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.4.4

Vendor Advisory: https://github.com/open-metadata/OpenMetadata/security/advisories

Restart Required: No

Instructions:

1. Upgrade OpenMetadata to version 1.4.5 or later. 2. Verify the fix by checking the CollectionDAO.java file for proper parameterized queries in the listCount function.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or proxy rules to filter suspicious SQL patterns in the supportedDataTypeParam parameter.

🧯 If You Can't Patch

Implement strict database user permissions to limit what data can be accessed via the vulnerable function.
Deploy network segmentation to restrict access to the OpenMetadata API endpoints.

🔍 How to Verify

Check if Vulnerable:

Check OpenMetadata version via admin interface or by examining deployment configuration. If version <=1.4.4, system is vulnerable.

Check Version:

Check OpenMetadata UI admin panel or deployment configuration files for version information.

Verify Fix Applied:

After upgrade, verify that the CollectionDAO.java file no longer contains raw SQL concatenation with the supportedDataTypeParam parameter.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in application logs
Multiple rapid requests to TestDefinitionDAO endpoints with varying parameters

Network Indicators:

Unusual patterns in API calls to /api/v1/testDefinition endpoints with SQL-like parameters

SIEM Query:

source="openmetadata" AND (uri_path="/api/v1/testDefinition" AND (param="supportedDataTypeParam" AND value CONTAINS "' OR "))

📊 Metadata

CVE ID: CVE-2025-50467

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: August 8, 2025

Last Updated: August 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-50467, you might also want to check these: