OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `‎AlertUtil::validateExpression` method evaluates an SpEL expression using `getValue` which by default uses the `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/events/subscriptions/validation/condition/<expression>` endpoint passes user-controlled data `AlertUtil::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and, therefore, any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-235`. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Thu, 04 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-metadata
Open-metadata openmetadata
CPEs cpe:2.3:a:open-metadata:openmetadata:*:*:*:*:*:*:*:*
Vendors & Products Open-metadata
Open-metadata openmetadata

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-13T17:07:09.817Z

Reserved: 2024-03-07T14:33:30.037Z

Link: CVE-2024-28254

cve-icon Vulnrichment

Updated: 2024-08-02T00:48:49.662Z

cve-icon NVD

Status : Analyzed

Published: 2024-03-15T20:15:10.057

Modified: 2025-09-04T13:50:16.613

Link: CVE-2024-28254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.