CVE-2025-50465 is a high-severity SQL Injection vulnerability affecting OpenMetadata versions up to and including 1.4.4. The vulnerability resides in the function listCount within the TestDefinitionDAO interface, where the testPlatform parameter is improperly sanitized and directly used to construct a SQL query. This flaw allows an attacker to inject malicious SQL code, enabling unauthorized extraction of sensitive information from the underlying database. The vulnerability requires low privileges (PR:L) and no user interaction (UI:N) to exploit, and it can be triggered remotely over the network without authentication (AV:N). The CVSS 3.1 score of 7.1 reflects the high confidentiality impact due to potential data leakage, a low integrity impact as the vulnerability primarily allows data reading rather than modification, and no impact on availability. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk, especially in environments where OpenMetadata is used to manage critical metadata and data governance information. The absence of available patches at the time of publication increases the urgency for mitigation.

For European organizations, the impact of this vulnerability can be substantial. OpenMetadata is often used in data-driven enterprises to catalog, manage, and govern metadata across various data sources. Exploitation could lead to unauthorized disclosure of sensitive business intelligence, personally identifiable information (PII), or intellectual property stored within the metadata repository. This could result in regulatory non-compliance, particularly under GDPR, leading to legal penalties and reputational damage. Additionally, attackers could leverage the extracted information to facilitate further attacks, such as privilege escalation or lateral movement within the network. The vulnerability's ease of exploitation and remote accessibility increase the risk of widespread compromise, especially in sectors like finance, healthcare, and government agencies that rely heavily on metadata management for operational integrity and compliance.

European organizations should immediately assess their use of OpenMetadata and identify if versions up to 1.4.4 are deployed. In the absence of an official patch, organizations should implement the following mitigations: 1) Apply strict input validation and sanitization on the testPlatform parameter at the application level to prevent injection of malicious SQL code. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoint. 3) Restrict database user permissions associated with OpenMetadata to the minimum necessary, avoiding excessive read privileges that could be exploited. 4) Monitor database and application logs for unusual query patterns indicative of injection attempts. 5) Isolate OpenMetadata instances within segmented network zones to limit exposure. 6) Plan for an upgrade to a patched version once available, and subscribe to vendor advisories for timely updates. 7) Conduct security awareness training for developers and administrators on secure coding practices and vulnerability management.