Collibra’s REST API contains a set of endpoints under the '/rest/*' path that are protected by authentication checks. Due to an improper authentication implementation in the Collibra Agent, the service does not enforce credentials on these endpoints, allowing remote users to invoke privileged functionality without authentication. The vulnerability is an example of CWE‑287 and CWE‑284 issues and can enable an attacker to invoke operations that should be restricted to authorized users.

The flaw affects both the SaaS and on‑prem deployments of Collibra Platform. All documented instances of Collibra Platform are vulnerable, but specific version numbers were not provided in the advisory, so administrators should verify their exact release and whether a fix is available from Collibra.

The API is publicly reachable, and the flaw can be exploited remotely without user interaction. Although no EPSS score is available and the vulnerability is not listed in CISA KEV, the lack of authentication combined with exposed privileged endpoints indicates a high likelihood of exploitation if the service is reachable from outside the trusted environment. Administrators should treat this as a high‑risk issue until mitigated.