CVE-2026-25644 is a vulnerability identified in the DataHub open-source metadata platform, specifically in versions prior to 1.3.1.8. The vulnerability arises from improper certificate validation (classified under CWE-295) in the LDAP ingestion source component. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack by exploiting a TLS downgrade mechanism. Essentially, the LDAP ingestion source fails to properly validate TLS certificates, permitting an attacker positioned between the DataHub instance and the LDAP server to downgrade the TLS connection to a less secure protocol or no encryption at all. This enables interception, eavesdropping, or manipulation of metadata ingestion data without requiring any authentication or user interaction, increasing the attack surface significantly. The vulnerability was publicly disclosed and assigned CVE-2026-25644 with a CVSS v3.1 base score of 7.5, indicating high severity. The issue was addressed and patched in DataHub version 1.3.1.8, which enforces proper certificate validation and mitigates the TLS downgrade attack vector. No known exploits have been reported in the wild as of the publication date. The vulnerability impacts the confidentiality of data ingested via LDAP, while integrity and availability remain unaffected. The attack vector is network-based, requiring no privileges or user interaction, making it relatively easy to exploit in environments where an attacker can intercept network traffic.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive metadata ingested via LDAP into DataHub platforms. Metadata platforms often contain critical organizational data about data assets, lineage, and governance, which if intercepted or manipulated, could lead to information leakage or further targeted attacks. Organizations relying on DataHub for metadata management in sectors such as finance, healthcare, and government are particularly at risk. The ability to perform a MITM attack without authentication means that attackers with network access—such as those inside compromised networks or with access to network infrastructure—can exploit this vulnerability. This could lead to exposure of sensitive information or facilitate lateral movement within networks. Given the widespread use of open-source tools like DataHub in European enterprises and public sector organizations, the impact could be broad, especially if patching is delayed. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if metadata confidentiality is compromised.

European organizations should immediately upgrade any DataHub deployments to version 1.3.1.8 or later to apply the official patch that fixes the improper certificate validation issue. Beyond upgrading, organizations should enforce strict TLS configurations for LDAP connections, including disabling legacy or weak TLS versions and cipher suites to prevent downgrade attacks. Network segmentation should be implemented to limit exposure of LDAP traffic to trusted network zones only. Employing network monitoring and intrusion detection systems to detect unusual LDAP traffic patterns or potential MITM attempts can provide early warnings. Organizations should also conduct regular audits of their DataHub configurations and ensure that certificate validation is enabled and correctly configured. Where possible, use mutual TLS authentication between DataHub and LDAP servers to strengthen trust. Finally, educating network administrators and security teams about the risks of TLS downgrade attacks and proper certificate validation practices will help maintain a secure environment.