PatchSiren cyber security CVE debrief
CVE-2026-46481 open-metadata CVE debrief
CVE-2026-46481 is a security vulnerability in OpenMetadata, a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive sensitive information in the HTTP 201 response of POST /api/v1/automations/workflows. The leaked information includes the cleartext database password in request.connection.config.password and the ingestion bot JWT in openMetadataServerConnection.securityConfig.jwtToken. This token can be reused to access sensitive service APIs with bot-level privileges.
- Vendor
- open-metadata
- Product
- OpenMetadata
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Administrators and users of OpenMetadata, especially those with non-admin SSO accounts, should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability has a CVSS score of 8.3 and is classified as HIGH severity. It was published on 2026-06-08T17:16:51.847Z and modified on 2026-06-09T15:25:56.860Z. The issue has been patched in version 1.12.4.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade OpenMetadata to version 1.12.4 or later.
- Review and restrict access to sensitive service APIs.
- Monitor for suspicious activity related to ingestion bot tokens.
Evidence notes
The vulnerability is described in the CVE record [cve-org]. Details can also be found in the OpenMetadata security advisory [ref-4] and the NVD detail page [nvd].
Official resources
-
CVE-2026-46481 CVE record
CVE.org
-
CVE-2026-46481 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46481 was published on 2026-06-08T17:16:51.847Z and modified on 2026-06-09T15:25:56.860Z.