# OpenMetadata Security Vulnerabilities This page lists all security vulnerabilities fixed in released versions of OpenMetadata. ## [CVE-2024-28255](https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84) Authentication Bypass This CVE identifies a vulnerability in JWTFilter which could be used to bypass authentication checks for few API endpoints. Versions affected 0.3.0 - 1.2.3 Fixed versions 1.2.4 and Later Severity Critical Impact This issue may lead to authentication bypass. Advice We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. Issue Fixed Jan 5th 2024 Issue announced March 16th 2024 ## [CVE-2024-28848](https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5xv3-fm7g-865r) SpEL Injection in GET /api/v1/policies/validation/condition/ This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint /api/v1/policies/validation/condition to remotely execute code on the server. Versions affected 0.3.0 - 1.2.3 Fixed versions 1.2.4 and Later Severity Moderate Impact This issue may lead to Remote Code Execution by an Registered and Authenticated User. Advice We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. Issue Fixed Jan 5th 2024 Issue announced March 16th 2024 ## [CVE-2024-28847](https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-8p5r-6mvv-2435) SpEL Injection in PUT /api/v1/events/subscriptions This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint /api/v1/events/subscriptions to remotely execute code on the server. Versions affected 0.3.0 - 1.2.3 Fixed versions 1.2.4 and Later Severity Moderate Impact This issue may lead to Remote Code Execution by an Registered and Authenticated User. Advice We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. Issue Fixed Jan 5th 2024 Issue announced March 16th 2024 ## [CVE-2024-28254](https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-j86m-rrpr-g8gw) SpEL Injection in GET /api/v1/events/subscriptions/validation/condition/ This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint GET /api/v1/events/subscriptions/validation/condition/to remotely execute code on the server. Versions affected All AK versions Versions affected 0.3.0 - 1.2.3 Fixed versions 1.2.4 and Later Severity High Impact This issue may lead to Remote Code Execution by an Registered and Authenticated User. Advice We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. Issue Fixed Jan 5th 2024 Issue announced March 16th 2024 ## [CVE-2024-28253](https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-7vf4-x5m2-r6gr) SpEL Injection in \`PUT /api/v1/policies\` A possible security vulnerability has been identified in OpenMetadata SPeL rule evalaution. This requires access OpenMetadata APIs as an authenticated user. A authenticated user can send PUT request with a malicious payload to execute a JVM method and run a code on the server. Versions affected 0.3.0 - 1.3.0 Fixed versions 1.3.1 and Later Severity Moderate Impact This issue may lead to Remote Code Execution by an Registered and Authenticated User. Advice We advise all OpenMetadata users to upgrade to (>=1.3.1) to mitigate this vulnerability. Issue Fixed Mar 1st 2024 Issue announced March 16th 2024