Skip to main content

Collibra Platform CVE-2026-10622

| EUVDEUVD-2026-33930 HIGH
2026-06-02 cret@cert.org GHSA-qhxc-r9rq-h2gw
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 20:25 vuln.today
CVSS changed
Jun 02, 2026 - 20:22 NVD
8.2 (HIGH)
Patch available
Jun 02, 2026 - 16:01 EUVD
CVE Published
Jun 02, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/* endpoints.

AnalysisAI

Authentication bypass in Collibra Platform's REST API allows remote unauthenticated attackers to reach privileged functionality through exposed '/rest/*' endpoints across multiple SaaS and on-premises release trains. The flaw carries a CVSS 8.2 (high) score reflecting network-reachable, no-privilege exploitation with high confidentiality impact, and no public exploit identified at time of analysis. A vendor patch has been issued across all affected branches, and reporting via CERT/CC (VU#873170) indicates coordinated disclosure rather than active exploitation.

Technical ContextAI

Collibra Platform is an enterprise data governance and catalog product that exposes a REST API under the '/rest/*' URI tree, used by the web UI, agents (such as the Collibra Agent component named in the CVE), and integrations. The underlying weakness is an Improper Authentication class issue (CWE-287 family, consistent with the 'Authentication Bypass' tag) in which one or more '/rest/*' handlers fail to enforce session or token validation, so privileged operations normally gated behind authenticated roles can be invoked anonymously. Because the API is the primary control plane for catalog metadata, lineage, workflows, and user/role administration, weaknesses in its authentication layer translate directly into access to sensitive enterprise data assets.

RemediationAI

Vendor-released patches are available on every affected branch: upgrade on-prem 2025.10.x to 2025.10.399 or later, on-prem 2026.03.x to 2026.03.356 or later, and SaaS branches to 2025.10.9, 2025.11.7, 2026.02.6, 2026.03.4, or 2026.04.5 respectively per the EUVD entry. SaaS tenants should confirm with Collibra Support that their environment has been rolled to the fixed minor; on-prem operators must schedule the upgrade themselves. Until the upgrade lands, compensating controls include restricting reachability of the '/rest/*' URI tree at a reverse proxy or WAF so it is only accessible from trusted CIDR ranges and authenticated integration hosts, denying unauthenticated requests to privileged sub-paths at the ingress layer, and increasing logging/alerting on anonymous '/rest/*' calls; the trade-off is that legitimate agent and integration traffic must be allow-listed by source, which can break SaaS-to-on-prem connectors if mis-scoped. Authoritative remediation details should be confirmed against CERT/CC VU#873170 (https://kb.cert.org/vuls/id/873170), the Collibra vendor portal (https://www.collibra.com/), and CVE-2026-10622 at https://nvd.nist.gov/vuln/detail/CVE-2026-10622.

Share

CVE-2026-10622 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy