CVE-2026-44501 MEDIUM

CVE-2026-44501: DataHub OIDC REDIRECT_URL Cookie Deserialization Vulnerability

Vendor Datahub-Project
Product datahub
Weakness CWE-502 · Unsafe deserialization
Published May 14, 2026
Last update May 14, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC callback flow, with no integrity protection (no HMAC, no encryption). This is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting the GET /callback/oidc endpoint. Successful exploitation requires a valid user account in the configured OIDC identity provider This vulnerability is fixed in 1.5.0.3.

Key dates

02Disclosure timeline

May 14, 2026 CVE published
May 14, 2026 Record updated