org.open-metadata:openmetadata-dist (>=0.12.1 <=DEMO_BETA1), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.12.3) +2 more potentially affected by CVE-2026-46481 via org.open-metadata:openmetadata-service (>=DEMO_BETA1 <=1.12.3)

org.open-metadata:openmetadata-service MAVEN version =DEMOBETA1, =0.12.1, =1.12.0, =1.10.0, =1.12.3 - org.open-metadata:openmetadata-ui =0.12.1.preview Source cves: CVE-2026-46481 Source advisory: OSV:GHSA-9VMH-WHC4-7PHG...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the TESTCONNECTION workflow for a Database Service. An attacker can obtain sensitive credentials and authentication tokens by triggering the workflow and inspecting the HTTP response...

org.open-metadata:openmetadata-dist (>=1.0.0 <=1.11.13), org.open-metadata:openmetadata-mcp (>=1.10.0 <=1.11.13) potentially affected by CVE-2026-26010 via org.open-metadata:openmetadata-service (>=1.0.0-alpha <=1.11.7)

org.open-metadata:openmetadata-service MAVEN version =1.0.0-alpha, =1.0.0, =1.10.0, =1.11.13 Source cves: CVE-2026-26010 Source advisory: SNYK:JAVA-ORGOPENMETADATA-15271046...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the api/v1/ingestionPipelines endpoint, which exposes JWT tokens used by privileged bot accounts in API responses. An attacker can gain unauthorized access to sensitive data and...

org.open-metadata:openmetadata-dist (>=1.0.0 <=1.11.13), org.open-metadata:openmetadata-mcp (>=1.10.0 <=1.11.13) potentially affected by unknown CVE via org.open-metadata:openmetadata-service (>=1.0.0-alpha <=1.11.3)

org.open-metadata:openmetadata-service MAVEN version =1.0.0-alpha, =1.0.0, =1.10.0, =1.11.13 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGOPENMETADATA-14912636...

SQL Injection

org.open-metadata, openmetadata-service is vulnerable to SQL Injection. The vulnerability is due to improper handling of the entityType parameter in TestDefinitionDAO.listCount due to concatenating untrusted input into an SQL query, allowing attackers to supply crafted entityType values that modi...

SQL Injection

org.open-metadata, openmetadata-service is vulnerable to SQL Injection. The vulnerability is due to improper handling of the supportedDataTypeParam parameter in TestDefinitionDAO.listCount due to concatenating untrusted input into an SQL query, allowing attackers to supply crafted...

org.open-metadata:openmetadata-dist (>=1.0.0 <=1.13.0-snapshot), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +1 more potentially affected by CVE-2025-50465 via org.open-metadata:openmetadata-service (>=1.0.0-alpha <=1.4.4)

org.open-metadata:openmetadata-service MAVEN version =1.0.0-alpha, =1.0.0, =1.12.0, =1.10.0, =1.13.0-snapshot Source cves: CVE-2025-50465 Source advisory: SNYK:JAVA-ORGOPENMETADATA-12009019...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the listCount function in the TestDefinitionDAO interface when the testPlatform parameter is used to construct a SQL query. An attacker can extract sensitive information from the database by injecting crafted input int...

org.open-metadata:openmetadata-dist (>=1.0.0 <=1.13.0-snapshot), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +1 more potentially affected by CVE-2025-50467 via org.open-metadata:openmetadata-service (>=1.0.0-alpha <=1.4.4)

org.open-metadata:openmetadata-service MAVEN version =1.0.0-alpha, =1.0.0, =1.12.0, =1.10.0, =1.13.0-snapshot Source cves: CVE-2025-50467 Source advisory: SNYK:JAVA-ORGOPENMETADATA-12009018...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the listCount function in the DocStoreDAO interface when the entityType parameter is used to construct a SQL query. An attacker can extract sensitive information from the database by injecting crafted input into the...

org.open-metadata:openmetadata-dist (>=1.0.0 <=1.13.0-snapshot), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +1 more potentially affected by CVE-2025-50468 via org.open-metadata:openmetadata-service (>=1.0.0-alpha <=1.4.4)

org.open-metadata:openmetadata-service MAVEN version =1.0.0-alpha, =1.0.0, =1.12.0, =1.10.0, =1.13.0-snapshot Source cves: CVE-2025-50468 Source advisory: SNYK:JAVA-ORGOPENMETADATA-11959222...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the listCount function in the TestDefinitionDAO interface when the entityType parameter is used to construct an SQL query. A low-privileged attacker can extract sensitive information from the database by supplying...

org.open-metadata:openmetadata-dist (>=1.0.0 <=1.13.0-snapshot), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +1 more potentially affected by CVE-2025-50466 via org.open-metadata:openmetadata-service (>=1.0.0-alpha <=1.4.4)

org.open-metadata:openmetadata-service MAVEN version =1.0.0-alpha, =1.0.0, =1.12.0, =1.10.0, =1.13.0-snapshot Source cves: CVE-2025-50466 Source advisory: SNYK:JAVA-ORGOPENMETADATA-12009017...

org.open-metadata:openmetadata-dist (>=1.0.0 <=1.13.0-snapshot), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +1 more potentially affected by CVE-2024-55238 via org.open-metadata:openmetadata-service (>=1.0.0-alpha <=1.4.8)

org.open-metadata:openmetadata-service MAVEN version =1.0.0-alpha, =1.0.0, =1.12.0, =1.10.0, =1.13.0-snapshot Source cves: CVE-2024-55238 Source advisory: SNYK:JAVA-ORGOPENMETADATA-9833967...

org.open-metadata:openmetadata-dist (>=0.12.1 <=DEMO_BETA1), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +2 more potentially affected by CVE-2024-55238 via org.open-metadata:openmetadata-service (>=DEMO_BETA1 <=1.4.1)

org.open-metadata:openmetadata-service MAVEN version =DEMOBETA1, =0.12.1, =1.12.0, =1.10.0, =1.13.0-snapshot - org.open-metadata:openmetadata-ui =0.12.1.preview Source cves: CVE-2024-55238 Source advisory: OSV:GHSA-X8PM-WRG2-MQMX...

org.open-metadata:openmetadata-dist (>=0.12.1 <=DEMO_BETA1), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +2 more potentially affected by CVE-2024-28848 via org.open-metadata:openmetadata-service (>=DEMO_BETA1 <=1.2.3)

org.open-metadata:openmetadata-service MAVEN version =DEMOBETA1, =0.12.1, =1.12.0, =1.10.0, =1.13.0-snapshot - org.open-metadata:openmetadata-ui =0.12.1.preview Source cves: CVE-2024-28848 Source advisory: OSV:GHSA-5XV3-FM7G-865R...

org.open-metadata:openmetadata-dist (>=0.12.1 <=DEMO_BETA1), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +2 more potentially affected by CVE-2024-28847 via org.open-metadata:openmetadata-service (>=DEMO_BETA1 <=1.2.3)

org.open-metadata:openmetadata-service MAVEN version =DEMOBETA1, =0.12.1, =1.12.0, =1.10.0, =1.13.0-snapshot - org.open-metadata:openmetadata-ui =0.12.1.preview Source cves: CVE-2024-28847 Source advisory: OSV:GHSA-8P5R-6MVV-2435...

org.open-metadata:openmetadata-dist (>=0.12.1 <=DEMO_BETA1), org.open-metadata:openmetadata-k8s-operator (>=1.12.0 <=1.13.0-snapshot) +2 more potentially affected by CVE-2024-28253 via org.open-metadata:openmetadata-service (>=DEMO_BETA1 <=1.3.0)

org.open-metadata:openmetadata-service MAVEN version =DEMOBETA1, =0.12.1, =1.12.0, =1.10.0, =1.13.0-snapshot - org.open-metadata:openmetadata-ui =0.12.1.preview Source cves: CVE-2024-28253 Source advisory: OSV:GHSA-7VF4-X5M2-R6GR...