CVE-2026-46481 Overview
CVE-2026-46481 is an information disclosure vulnerability in OpenMetadata, a unified metadata platform for data discovery and governance. Versions prior to 1.12.4 expose sensitive credentials to non-administrative single sign-on (SSO) users through the TEST_CONNECTION workflow. When a low-privileged user submits a POST /api/v1/automations/workflows request for a Database Service, the HTTP 201 response returns both the cleartext database password and the ingestion bot JSON Web Token (JWT). Attackers can replay the leaked JWT as a bearer token to access privileged service APIs. The vulnerability is classified under CWE-201: Insertion of Sensitive Information Into Sent Data.
Critical Impact
Authenticated non-admin SSO users can extract cleartext database credentials and ingestion bot JWTs, enabling lateral movement into connected data sources and bot-privileged API access.
Affected Products
- OpenMetadata versions prior to 1.12.4
- OpenMetadata deployments using SSO authentication with non-admin users
- OpenMetadata Database Service connectors leveraging the automations workflow API
Discovery Timeline
- 2026-06-08 - CVE-2026-46481 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46481
Vulnerability Analysis
The flaw resides in OpenMetadata's automations/workflows endpoint, which handles TEST_CONNECTION operations for Database Services. The endpoint serializes the full workflow object back to the requester, including the request.connection.config.password field and the openMetadataServerConnection.securityConfig.jwtToken field. Both values should be considered server-internal secrets but are returned verbatim in the HTTP 201 response body.
A non-admin SSO user with permission to test a connection becomes effectively privileged. The ingestion bot JWT carries bot-level scopes, allowing the attacker to call sensitive service APIs by sending the token in an Authorization: Bearer <jwt> header. The cleartext database password enables direct authentication against the backing database, bypassing OpenMetadata entirely.
Root Cause
The root cause is improper output filtering in the workflow response handler. Secrets stored in the workflow configuration are not redacted before serialization. The API treats internal connection state and authentication material as part of the public response schema, violating least-privilege data exposure principles described in CWE-201.
Attack Vector
Exploitation requires network access to the OpenMetadata API and valid low-privileged SSO credentials. The attacker authenticates, identifies an accessible Database Service, and submits a TEST_CONNECTION workflow. The 201 response contains the credentials. The attacker then reuses the ingestion bot JWT to enumerate metadata, modify ingestion pipelines, or pivot to other connected services.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-9vmh-whc4-7phg for vendor technical details.
Detection Methods for CVE-2026-46481
Indicators of Compromise
- HTTP 201 responses from POST /api/v1/automations/workflows returned to non-admin SSO accounts
- Use of ingestion bot JWTs originating from user-attributed IP addresses or sessions
- Unexpected TEST_CONNECTION workflow submissions across multiple Database Services in short timeframes
- Outbound database authentication attempts from hosts that do not normally run ingestion workers
Detection Strategies
- Inspect application access logs for automations/workflows calls correlated with non-admin user roles
- Alert on ingestion bot JWT usage where the source IP, user-agent, or session does not match the ingestion service
- Compare TEST_CONNECTION request frequency per user against baseline behavior to detect credential harvesting attempts
Monitoring Recommendations
- Enable verbose audit logging for the /api/v1/automations/* API path
- Forward OpenMetadata audit logs to a centralized SIEM and correlate with database authentication logs
- Track JWT issuance and reuse patterns to identify token replay from unexpected origins
How to Mitigate CVE-2026-46481
Immediate Actions Required
- Upgrade OpenMetadata to version 1.12.4 or later, which redacts secrets from workflow responses
- Rotate all database service passwords and regenerate the ingestion bot JWT after upgrading
- Audit historical workflow API access to identify any non-admin users who may have already harvested credentials
- Restrict the TEST_CONNECTION capability to administrative roles where business requirements permit
Patch Information
The issue is fixed in OpenMetadata 1.12.4. The patch removes sensitive fields, including connection.config.password and securityConfig.jwtToken, from the workflow response payload. Refer to the OpenMetadata GHSA-9vmh-whc4-7phg advisory for full patch details.
Workarounds
- Limit Database Service and automations workflow permissions to trusted administrators using role-based access control
- Place OpenMetadata behind a reverse proxy that strips known sensitive fields from automations/workflows responses until patching is complete
- Issue short-lived ingestion bot JWTs and rotate them on a fixed schedule to limit the value of any leaked token
# Verify the installed OpenMetadata version and upgrade if below 1.12.4
curl -s -H "Authorization: Bearer $TOKEN" \
https://openmetadata.example.com/api/v1/system/version
# Example Helm upgrade to the patched release
helm repo update
helm upgrade openmetadata open-metadata/openmetadata \
--version 1.12.4 \
--namespace openmetadata
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
