DataHub is an open-source metadata platform. Prior to version 0.8.45, the StatelessTokenService of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the StatelessTokenService of the Metadata service uses the parse method of io.jsonwebtoken.JwtParser, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.
CVE-2022-39366
This critical-severity CVE scores 9.9 under NVD CVSS v3. EPSS exploit probability: 1.0%, top 23% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.9
- EG Score
- 9.9(medium)
- EPSS
- 53.9%
- KEV
- Not listed
Published
October 28, 2022
Last Modified
December 3, 2025
Advisory Details (5)
Auto-updated Jul 6, 2026Missing JWT signature check (`GHSL-2022-078`) · Advisory · datahub-project/datahub · GitHub
https://github.com/datahub-project/datahub/security/advisories/GHSA-r8gm-v65f-c973DataHub v0.8.45
Patch available: datahub-project/datahub v0.8.45
https://github.com/datahub-project/datahub/releases/tag/v0.8.45datahub/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java at aa146db611e3a4ca3aa17bb740783f789d4444d3 · datahub-project/datahub · GitHub
https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L30datahub/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java at aa146db611e3a4ca3aa17bb740783f789d4444d3 · datahub-project/datahub · GitHub
https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L134Missing JWT signature check — CodeQL query help documentation
https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| acryl-datahub | 0.0.2 ... 0.8.9.0 (321 versions) | 0.8.45 | — |
Weakness Classification(3)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 9× in last 7d / 45× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-09 19:08 UTCEPSS rescore
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-07 13:44 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-05 02:28 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-01 15:04 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-29 14:04 UTCEPSS rescore
- 2026-06-28 15:02 UTCOSV refresh
- 2026-06-28 14:06 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
Show 59 moreShow fewer
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-11 04:09 UTCOSV refresh
- 2026-06-10 22:17 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-25 13:02 UTCEG score recompute
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2022-39366?
When was CVE-2022-39366 disclosed?
Is CVE-2022-39366 actively exploited?
What is the CVSS score of CVE-2022-39366?
How do I remediate CVE-2022-39366?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2022-39366
Is Your Infrastructure Affected by CVE-2022-39366?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.