Description
DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC callback flow, with no integrity protection (no HMAC, no encryption). This is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting the GET /callback/oidc endpoint. Successful exploitation requires a valid user account in the configured OIDC identity provider This vulnerability is fixed in 1.5.0.3.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The DataHub front‑end deserializes attacker‑controlled Java objects from the REDIRECT_URL cookie during the OIDC callback flow without any integrity protection, allowing an attacker to potentially execute arbitrary code or hijack a user session. This flaw is a classic Deserialization of Untrusted Data vulnerability (CWE‑502).

Affected Systems

The vulnerability affects the datahub-project datahub platform, specifically versions prior to 1.5.0.3, in the datahub‑frontend‑react component that processes the GET /callback/oidc endpoint.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid user account in the configured OIDC identity provider and the attacker must persuade the front‑end to read a malicious REDIRECT_URL cookie during the normal OIDC callback flow. The attack vector is thus implicit in legitimate authentication traffic and could be triggered by manipulating the cookie sent from a client device manually or via a phishing URI.

Generated by OpenCVE AI on May 14, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to DataHub 1.5.0.3 or later where the deserialization issue is fixed.
  • If upgrading immediately is not possible, block or restrict access to the GET /callback/oidc endpoint using a reverse‑proxy or firewall until a patch is applied.
  • Reconfigure your OIDC provider to enforce strict redirect‑URL validation and avoid storing redirect information in client‑side cookies.

Generated by OpenCVE AI on May 14, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Datahub Project
Datahub Project datahub
Vendors & Products Datahub Project
Datahub Project datahub

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC callback flow, with no integrity protection (no HMAC, no encryption). This is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting the GET /callback/oidc endpoint. Successful exploitation requires a valid user account in the configured OIDC identity provider This vulnerability is fixed in 1.5.0.3.
Title DataHub OIDC REDIRECT_URL Cookie Deserialization Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Datahub Project Datahub
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:22:31.914Z

Reserved: 2026-05-06T18:28:20.886Z

Link: CVE-2026-44501

cve-icon Vulnrichment

Updated: 2026-05-14T18:22:29.136Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T16:16:24.073

Modified: 2026-05-14T18:12:13.527

Link: CVE-2026-44501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:15:16Z

Weaknesses