OpenMetadata Ingestion Bot JWT and Database Password Leak Vulnerability

A vulnerability in OpenMetadata versions prior to 1.12.4 allows non-admin SSO users to leak sensitive information by triggering a TEST_CONNECTION workflow for a Database Service. The HTTP 201 response from the POST /api/v1/automations/workflows endpoint includes both the cleartext database password and a JWT for the ingestion bot, which can be used to access sensitive service APIs with bot-level privileges.

Impact

Exploitation of this vulnerability allows users to access cleartext database credentials and a long-lived JWT for the ingestion bot, which can be used to access and modify services and metadata via the OpenMetadata API.

Reproduction

To reproduce this vulnerability, log in as a regular SSO user without admin privileges. Navigate to the Database Services section and select a service. Click 'Test connection', which sends a request to the automations/workflows endpoint. The response will include the database password in cleartext and a JWT for the ingestion bot. This token can then be used to access sensitive database service APIs with bot-level privileges.

Remediation

Users can update to OpenMetadata version 1.12.4 or later to address this vulnerability.