MCP Observatory
github not analyzable

open-metadata/OpenMetadata

github

The Open Context Layer for Data and AI , OpenMetadata is the open platform for building trusted data context and business semantics for humans, AI assistants, and agents.

maintainer
open-metadata
license
Apache-2.0
first seen
2026-05-22
last seen
2026-06-14
releases · 30d
4
short id
risk54/100 · heuristic grade
C elevated

Source not yet analyzed — this grade rests on attested signals (CVEs, supply-chain) only. It is a floor: reading the code could raise it, not lower it.

  • vulnerabilitiesattested+50
  • capability exposureinferred+10
  • tool safetyinferred+2
  • trust mitigatorsmixed−8

attestedinferredmixed

The A–E grade is our heuristic synthesis — a "review this" prompt, not a verdict. Each factor is tagged by what backs it: attested (a verifiable record), reported (a third party's claim), or inferred (our own heuristic, e.g. permissions). See methodology.

graded 7m ago · see ecosystem CVEs →

risk trajectory1 movements
  • C · 57C · 54
capability exposuregrade factor +10
Inferred surface — each links to servers holding it:
vulnerabilities8 CVEs · grade factor +50
CRITICAL
Server-Side Template Injection (SSTI) in FreeMarker email templates lead to RCE EPSS 1% CVE-2026-22244 affects ["<=1.11.3"]
CRITICAL
Authentication Bypass (`GHSL-2023-237`) EPSS 94% CVE-2024-28255 affects ["< 1.2.4"]
HIGH
[OpenMetadata 1.12.1] TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regu… EPSS 0% CVE-2026-46481 affects ["1.12.1"]
HIGH
Leaky JWTs in OpenMetadata exposing highly-privileged bot users EPSS 0% CVE-2026-26010 affects ["*"]
HIGH
SpEL Injection in `GET /api/v1/events/subscriptions/validation/condition/<expr>` (`GHSL-2023-235`) EPSS 54% CVE-2024-28254 affects ["< 1.2.4"]
MEDIUM
SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`) EPSS 93% CVE-2024-28253 affects ["< 1.3.1"]
MEDIUM
SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`) EPSS 13% CVE-2024-28847 affects ["< 1.2.4"]
MEDIUM
SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` (`GHSL-2023-236`) EPSS 79% CVE-2024-28848 affects ["< 1.2.4"]
tool safety1 findings · grade factor +2
  1. lowexfiltration combosearch_metadata

    single tool reads + sends: net, db

embed badgereadme-ready
live risk-grade badge preview [![MCP Observatory risk grade](https://mcpobservatory.com/servers/github:open-metadata/OpenMetadata/badge.svg)](https://mcpobservatory.com/servers/github:open-metadata/OpenMetadata/security)

Heuristic, inferred signals — false positives (legitimately powerful tools, forks, language ports) are expected. Treat each as "review this", not a verdict. See the ecosystem-wide picture on the security hub, or the fleet security of open-metadata.