SB2026051612 - Improper access control in OpenMetadata

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2026-46481)

The vulnerability allows a remote user to disclose sensitive information and access or modify services and metadata.

The vulnerability exists due to improper access control in the TEST_CONNECTION workflow endpoint when handling POST requests to /api/v1/automations/workflows for a database service. A remote user can trigger a test connection workflow and obtain the cleartext database password and an ingestion-bot JWT to disclose sensitive information and access or modify services and metadata.

This issue is applicable when credentials are stored with the db secrets manager rather than an external secrets store.

Remediation

Install update from vendor's website.

References

• https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-9vmh-whc4-7phg
• https://github.com/advisories/GHSA-9vmh-whc4-7phg