CVE-2026-26010

Name of the Vulnerable Software and Affected Versions OpenMetadata versions prior to 1.11.8

Description OpenMetadata is susceptible to an information disclosure issue that can lead to privilege escalation. Calls to the /api/v1/ingestionPipelines endpoint can expose JWTs utilized by the ingestion-bot for services like Glue, Redshift, and Postgres. A read-only user can obtain access to a highly privileged account, typically the Ingestion Bot Role, potentially enabling destructive changes to OpenMetadata instances and data leakage, including sample data or service metadata restricted by roles and policies. The JWT token is present in the API payload. Exploitation allows user impersonation, even for those with read-only access.

Recommendations For versions prior to 1.11.8, redact the jwtToken in the API payload. Implement role-based filtering to ensure only users with explicit admin or service account permissions receive JWT tokens. Rotate Ingestion Bot Tokens in affected environments.