Open Metadata Openmetadata
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Open Metadata Openmetadata.
By the Year
In 2026 there have been 2 vulnerabilities in Open Metadata Openmetadata. Last year, in 2025 Openmetadata had 5 security vulnerabilities published. Right now, Openmetadata is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 0.00 |
| 2025 | 5 | 8.03 |
It may take a day or so for new Openmetadata vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Open Metadata Openmetadata Security Vulnerabilities
OpenMetadata 1.11.8 JWT leakage via /ingestionPipelines API
CVE-2026-26010
- February 11, 2026
OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). This vulnerability is fixed in 1.11.8.
Improper Privilege Management
OpenMetadata SSTI RCE in FreeMarker templates <1.11.4
CVE-2026-22244
- January 08, 2026
OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
1336
OpenMetadata SQL Injection in DocStoreDAO listCount (<=1.4.4)
CVE-2025-50468
- August 08, 2025
OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the DocStoreDAO interface. The entityType parameters can be used to build a SQL query.
OpenMetadata <=1.4.4 SQL Injection via supportedDataTypeParam
CVE-2025-50467
- August 08, 2025
OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The supportedDataTypeParam parameter can be used to build a SQL query.
OpenMetadata <=1.4.4 SQLi in TestDefinitionDAO
CVE-2025-50466
6.5 - Medium
- August 08, 2025
OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The entityType parameter can be used to build a SQL query.
OpenMetadata <=1.4.4 SQLi via TestDefinitionDAO (CVE-2025-50465)
CVE-2025-50465
8.8 - High
- August 08, 2025
OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The testPlatform parameter can be used to build a SQL query.
OpenMetadata <=1.4.1 SQL Injection in WorkflowDAO:listCount
CVE-2024-55238
8.8 - High
- April 17, 2025
OpenMetadata <=1.4.1 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the WorkflowDAO interface. The workflowtype and status parameters can be used to build a SQL query.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Open Metadata Openmetadata or by Open Metadata? Click the Watch button to subscribe.
