Improper access control in OpenMetadata - CVE-2026-46481
Published: May 16, 2026
Vulnerability identifier: #VU131605
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-46481
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenMetadata
Affected software:
OpenMetadata
OpenMetadata
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and access or modify services and metadata.
The vulnerability exists due to improper access control in the TEST_CONNECTION workflow endpoint when handling POST requests to /api/v1/automations/workflows for a database service. A remote user can trigger a test connection workflow and obtain the cleartext database password and an ingestion-bot JWT to disclose sensitive information and access or modify services and metadata.
This issue is applicable when credentials are stored with the db secrets manager rather than an external secrets store.
How to mitigate CVE-2026-46481
Install security update from vendor's website.