EXECUTIVE SUMMARY:
A high-severity vulnerability tracked as CVE-2026-26010 in the OpenMetadata project. It affects all releases of OpenMetadata prior to version 1.11.8. The issue stems from API calls to /api /v1 /ingestionPipelines that inadvertently leak JWT tokens used by the ingestion-bot for services like Glue, Redshift, and Postgres. Because these tokens grant elevated privileges, a user with only read-only access can exploit the flaw to impersonate a highly privileged service account. This unintended privilege escalation can lead to destructive changes within an OpenMetadata instance and expose sensitive metadata. The vulnerability has been assigned a CVSS v3 base score of 7.6 (High), indicating a serious risk. It involves improper privilege management allowing unauthorized access beyond intended roles. Exploitation requires only low privileges and no user interaction.
RECOMMENDATION:
We strongly recommend you update OpenMetadata to version 1.11.8.
REFERENCES:
The following reports contain further technical details: