CVE-2026-25644 – DataHub's LDAP ingestion source is vulnerable t... (How to Fix)

Q: What is the severity of CVE-2026-25644?

CVE-2026-25644 has a CVSS score of 7.5 (HIGH). DataHub's LDAP ingestion source is vulnerable to TLS downgrade attacks, allowing man-in-the-middle attackers to intercept and potentially modify LDAP authentication traffic. This affects all DataHub deployments using LDAP authentication with versions prior to 1.3.1.8.

📋 TL;DR

DataHub's LDAP ingestion source is vulnerable to TLS downgrade attacks, allowing man-in-the-middle attackers to intercept and potentially modify LDAP authentication traffic. This affects all DataHub deployments using LDAP authentication with versions prior to 1.3.1.8.

💻 Affected Systems

Products:

DataHub

Versions: All versions prior to 1.3.1.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using LDAP authentication. Other authentication methods are not vulnerable.

📦 What is this software?

Datahub by Datahub

View all CVEs affecting Datahub →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept LDAP credentials, gain unauthorized access to DataHub, and potentially compromise sensitive metadata or pivot to other systems using stolen credentials.

🟠

Likely Case

Credential theft leading to unauthorized access to DataHub's metadata platform and potential data exfiltration.

🟢

If Mitigated

Limited impact if LDAP traffic is already protected by network segmentation or if alternative authentication methods are used.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires MITM position on network path between DataHub and LDAP server. Attack leverages TLS downgrade to force plaintext LDAP communication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1.8

Vendor Advisory: https://github.com/datahub-project/datahub/security/advisories/GHSA-j34h-x7qg-4qw5

Restart Required: Yes

Instructions:

1. Backup your DataHub configuration and data. 2. Upgrade DataHub to version 1.3.1.8 or later. 3. Restart all DataHub services. 4. Verify LDAP authentication is working correctly.

🔧 Temporary Workarounds

Disable LDAP authentication

all

Temporarily disable LDAP authentication and use alternative authentication methods until patching is possible.

Modify DataHub configuration to remove LDAP authentication source

Network segmentation

all

Isolate DataHub and LDAP server communication to trusted network segments only.

🧯 If You Can't Patch

Implement network-level TLS termination or VPN between DataHub and LDAP server
Monitor network traffic for unexpected TLS downgrade attempts or plaintext LDAP communication

🔍 How to Verify

Check if Vulnerable:

Check DataHub version: if version < 1.3.1.8 and LDAP authentication is configured, system is vulnerable.

Check Version:

Check DataHub deployment configuration or run: kubectl get pods -n datahub -o jsonpath='{.items[*].spec.containers[*].image}' (for Kubernetes deployments)

Verify Fix Applied:

Confirm DataHub version is 1.3.1.8 or later and test LDAP authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Failed LDAP authentication attempts
Unexpected authentication source changes

Network Indicators:

Plaintext LDAP traffic on port 389 when TLS was expected
TLS downgrade attempts

SIEM Query:

source="network_traffic" AND (protocol="ldap" AND NOT tls_version OR tls_version="NULL") AND (src_ip="datahub_server" OR dst_ip="ldap_server")

📊 Metadata

CVE ID: CVE-2026-25644

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-295

EPSS Score: 0.04% exploit probability (10.1th percentile)

Published: February 6, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/datahub-project/datahub/security/advisories/GHSA-j34h-x7qg-4qw5 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25644, you might also want to check these: