HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10622Published Modified CNA certcc

CVE-2026-10622: CVE-2026-10622

Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/* endpoints.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
2025.10.9
Affected Products
7

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Improper authentication in the Collibra Platform REST API (Collibra Agent) allows a remote attacker with no credentials to reach privileged endpoints under '/rest/*'. The service is exposed over the network and requires no prior authentication or victim interaction, making it straightforward to reach from any network-adjacent host. Successful exploitation gives an attacker read access to sensitive data and limited write capability against the affected service. Patched-image rebuilds at versions 2025.10.9, 2025.10.399, 2025.11.7, 2026.02.6, and 2026.03.4 (and later) are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10622 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that incorporate the Collibra Platform components. Coverage applies to both on-prem and SaaS-variant image tags within the affected version ranges.

Available
Triage

Triage is available with a CVSS v3.1 score of 8.2 (HIGH), surfaced alongside per-environment compliance policy weighting so that findings are routed to the appropriate team inbox within each customer organization. Policy-based severity overrides and suppression rules can be applied at the organization or image-group level to reflect deployment context.

Available
Patch

Patched-image rebuilds at the fix versions (2025.10.9, 2025.10.399, 2025.11.7, 2026.02.6, 2026.03.4, and their successors) are available on HarborGuard for any environment running an affected image tag. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Collibra REST API service over the network; the vulnerability is remotely exploitable with no requirement for LAN or physical proximity.

  • AuthenticationNot required

    No credentials of any kind are needed; the improper authentication flaw allows unauthenticated access to privileged '/rest/*' endpoints directly.

  • Victim interactionNot required

    Exploitation is fully server-side and requires no action from any user of the Collibra Platform.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environmental factors to succeed.

Blast Radius

  • Reads sensitive data exposed through privileged REST API endpoints, which may include data governance metadata, user account details, and stored configuration.
  • Performs limited writes or modifications to resources accessible via the privileged '/rest/*' endpoints, potentially altering governance policies or asset records.
  • No direct availability impact is indicated by the CVSS vector, so service uptime is not directly affected by exploitation alone.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10622 is active across all connected environments the moment the CVE is ingested, typically within minutes of publication. For environments running affected Collibra Platform image versions, patched rebuilds at the fix versions listed above become available automatically. For customers who opt into auto-remediation, the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes, covering the rebuild, regression run, and pull request against affected workloads. Where compliance policy requires manual approval, the patched image and test results are staged and queued for reviewer action. For environments where an immediate rebuild is not yet possible (for example, where the SaaS variant fix has not yet propagated), compensating controls such as network-policy rules restricting inbound access to the Collibra REST API port and egress filtering on the agent container are worth applying in the interim.

See how HarborGuard automates this

Fix available

2025.10.92025.10.3992025.11.72026.02.62026.03.42026.03.3562026.04.5
Affected packages
  • Collibra / Collibra Platform (on-prem)
    < 2026.03.356 (from 2026.03)
  • Collibra / Collibra Platform (on-prem)
    < 2025.10.399 (from 2025.10)
  • Collibra / Collibra Platform (SaaS)
    < 2026.04.5 (from 2026.04)
  • Collibra / Collibra Platform (SaaS)
    < 2026.03.4 (from 2026.03)
  • Collibra / Collibra Platform (SaaS)
    < 2026.02.6 (from 2026.02)
  • Collibra / Collibra Platform (SaaS)
    < 2025.11.7 (from 2025.11)
  • Collibra / Collibra Platform (SaaS)
    < 2025.10.9 (from 2025.10)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
References