CVE-2026-26010 – OpenMetadata versions before 1.11.8 leak JSON W... (How to Fix)

Q: What is the severity of CVE-2026-26010?

CVE-2026-26010 has a CVSS score of 7.6 (HIGH). OpenMetadata versions before 1.11.8 leak JSON Web Tokens (JWTs) used by the ingestion-bot service through API calls from the UI. This allows any read-only user to gain highly privileged Ingestion Bot Role access, enabling destructive changes and potential data leakage. All OpenMetadata instances running vulnerable versions are affected.

📋 TL;DR

OpenMetadata versions before 1.11.8 leak JSON Web Tokens (JWTs) used by the ingestion-bot service through API calls from the UI. This allows any read-only user to gain highly privileged Ingestion Bot Role access, enabling destructive changes and potential data leakage. All OpenMetadata instances running vulnerable versions are affected.

💻 Affected Systems

Products:

OpenMetadata

Versions: All versions prior to 1.11.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with UI access to /api/v1/ingestionPipelines endpoint

📦 What is this software?

Openmetadata by Open Metadata

View all CVEs affecting Openmetadata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control, delete metadata, modify configurations, and exfiltrate sensitive service metadata and sample data from connected databases.

🟠

Likely Case

Unauthorized users escalate privileges to perform destructive actions within OpenMetadata, potentially disrupting metadata operations and accessing restricted data.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to metadata platform disruption without direct database access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires read-only user access; exploitation is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.8

Vendor Advisory: https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r

Restart Required: Yes

Instructions:

1. Backup your OpenMetadata instance. 2. Upgrade to version 1.11.8 or later. 3. Restart all OpenMetadata services. 4. Verify the fix by checking version and testing API access.

🔧 Temporary Workarounds

Restrict API Access

all

Limit access to /api/v1/ingestionPipelines endpoint using network controls or web application firewall rules

Reduce Read-Only Users

all

Minimize number of read-only users and review their access permissions

🧯 If You Can't Patch

Implement strict network segmentation to isolate OpenMetadata from production databases
Monitor and alert on unusual API calls to ingestionPipelines endpoint

🔍 How to Verify

Check if Vulnerable:

Check OpenMetadata version; if below 1.11.8, the system is vulnerable

Check Version:

Check OpenMetadata UI admin panel or API response for version information

Verify Fix Applied:

Confirm version is 1.11.8 or higher and test that read-only users cannot access privileged ingestion-bot tokens

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to /api/v1/ingestionPipelines from read-only users
Authentication logs showing privilege escalation

Network Indicators:

Unexpected outbound connections from OpenMetadata to database services

SIEM Query:

source="openmetadata" AND (uri_path="/api/v1/ingestionPipelines" AND user_role="read-only")

📊 Metadata

CVE ID: CVE-2026-26010

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CWE: CWE-269

EPSS Score: 0.01% exploit probability (1.6th percentile)

Published: February 11, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release Product,Release Notes
https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26010, you might also want to check these: