CVE-2024-28255: OpenMetadata Authentication Bypass Flaw

CVE-2024-28255 Overview

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. A critical authentication bypass vulnerability exists in the JwtFilter component that handles API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against an exclusion list. When the request's path contains any of the excluded endpoints, the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings, allowing complete bypass of the authentication mechanism.

Critical Impact

This vulnerability enables unauthenticated attackers to bypass JWT authentication entirely and access any arbitrary API endpoint, potentially leading to arbitrary SpEL expression injection and complete system compromise.

Affected Products

• OpenMetadata versions prior to 1.2.4
• open-metadata openmetadata (all vulnerable versions)
• OpenMetadata deployments with exposed API endpoints

Discovery Timeline

• 2024-03-15 - CVE-2024-28255 published to NVD
• 2025-09-04 - Last updated in NVD database

Technical Details for CVE-2024-28255

Vulnerability Analysis

The vulnerability resides in the JwtFilter class within OpenMetadata's security module. This filter is responsible for authenticating API requests by validating JWT tokens. The filter maintains a list of excluded endpoints that are allowed to bypass authentication—a common pattern for public endpoints like login pages.

The fundamental flaw lies in how the filter checks whether a request path matches the excluded endpoints. The path matching logic is susceptible to manipulation through URL path parameters. In HTTP, path parameters are segments that appear after a semicolon in a URL path. For example, in /api/v1;malicious/endpoint, the ;malicious portion is a path parameter.

When an attacker crafts a request like GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111, the path matching logic sees the URL-encoded string v1/users/login within the path, which matches an excluded endpoint pattern. This causes the filter to skip JWT validation entirely, allowing the request to proceed to any backend endpoint.

This bypass has a notable limitation: it will not work for endpoints that call SecurityContext.getUserPrincipal() since the principal will be null, resulting in a NullPointerException. However, many endpoints do not perform this check, leaving them fully accessible to unauthenticated attackers.

This issue is also tracked as GHSL-2023-237 by GitHub Security Lab.

Root Cause

The root cause is improper input validation in the URL path matching logic within the JwtFilter class. The filter performs substring matching to determine if a request path contains an excluded endpoint pattern, but it fails to properly normalize the path before comparison. This allows attackers to inject arbitrary strings into the path using URL-encoded path parameters, effectively spoofing the path to match exclusion patterns while the actual request is routed to a different endpoint.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

1. Identifying the excluded endpoint patterns used by the JwtFilter
2. Crafting a malicious URL that includes an excluded endpoint pattern as a URL-encoded path parameter
3. Appending the actual target endpoint they wish to access after the path parameter
4. Sending the request to the OpenMetadata API server

The crafted URL structure exploits the loose path matching to bypass authentication while the underlying web server routes the request to the attacker's target endpoint. This can lead to arbitrary SpEL expression injection on vulnerable endpoints, potentially resulting in remote code execution.

For technical details on the vulnerable code, see the GitHub JwtFilter Code Reference and the GitHub Security Advisory GHSA-6wx7-qw5p-wh84.

Detection Methods for CVE-2024-28255

Indicators of Compromise

• HTTP requests containing semicolons (;) followed by URL-encoded path segments targeting OpenMetadata API endpoints
• API access logs showing requests to sensitive endpoints without corresponding authentication events
• Unusual access patterns to /api/v1/ endpoints with malformed or suspicious path structures
• Error logs indicating NullPointerException from getUserPrincipal() calls following unauthenticated requests

Detection Strategies

• Monitor web server and application logs for requests containing path parameters (semicolon followed by data) in OpenMetadata API paths
• Implement Web Application Firewall (WAF) rules to detect and block requests with URL-encoded path traversal patterns such as %2f within path segments
• Configure intrusion detection systems to alert on requests matching the pattern /api/v1;.*login.* or similar excluded endpoint injections
• Audit API access logs for successful requests to protected endpoints that lack corresponding JWT validation entries

Monitoring Recommendations

• Enable detailed access logging on all OpenMetadata API endpoints including full request URIs
• Implement real-time alerting for requests containing suspicious path parameter patterns targeting the API
• Monitor for SpEL expression injection attempts in request parameters following potential authentication bypass
• Track failed authentication attempts and correlate with subsequent successful unauthenticated API access

How to Mitigate CVE-2024-28255

Immediate Actions Required

• Upgrade OpenMetadata to version 1.2.4 or later immediately as this version addresses the vulnerability
• If immediate upgrade is not possible, restrict network access to the OpenMetadata API to trusted sources only
• Deploy a Web Application Firewall (WAF) with rules to block requests containing path parameters (semicolons) in API paths
• Audit access logs for evidence of exploitation attempts or successful bypass

Patch Information

OpenMetadata has addressed this vulnerability in version 1.2.4. Users are strongly advised to upgrade to this version or later. The fix implements proper path normalization in the JwtFilter to prevent path parameter manipulation from bypassing authentication checks.

For detailed patch information, refer to the GitHub Security Advisory GHSA-6wx7-qw5p-wh84.

Workarounds

• There are no known workarounds for this vulnerability according to the vendor advisory
• As a temporary mitigation, restrict network access to OpenMetadata to only trusted IP ranges using firewall rules
• Implement a reverse proxy with strict URL validation that rejects requests containing semicolons in path segments
• Monitor and alert on suspicious API access patterns while planning the upgrade to version 1.2.4

# Example: Restrict access to OpenMetadata API using iptables (temporary mitigation)
# Only allow access from trusted network 10.0.0.0/8
iptables -A INPUT -p tcp --dport 8585 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8585 -j DROP

# Example: nginx reverse proxy rule to block path parameters
# Add to nginx server configuration
if ($request_uri ~ ";") {
    return 403;
}