Home / Vulnerability Intelligence / CVE-2026-26010

CVE-2026-26010 - Vulnerability Analysis

HighCVSS: 7.6

Last Updated: February 13, 2026

OpenMetadata - Broken Access Control

Published: February 11, 2026Updated: February 13, 2026PoC AvailableRemote Exploitable

Overview

OpenMetadata < 1.11.8 contains an information disclosure caused by JWT leakage in /api/v1/ingestionPipelines API calls, letting read-only users access privileged ingestion-bot accounts, exploit requires read-only user access.

Severity & Score

Severity: High

CVSS Score: 7.6

Impact

Read-only users can access privileged accounts, enabling destructive changes and data leakage in OpenMetadata instances.

Mitigation

Update to version 1.11.8 or later.

References

https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release
https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-26010
Severity: High
CVSS Score: 7.6
Type: broken_access_control
Status: confirmed

CWE

CWE-269

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L