Description
OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
Published: 2026-01-08
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OpenMetadata servers earlier than 1.11.4 host a Server‑Side Template Injection in FreeMarker email templates, permitting an attacker with administrative privileges to embed arbitrary FreeMarker expressions that are evaluated on the server. The injection can result in remote code execution, giving the attacker full control over the host operating system. This flaw is classified as CWE‑1336 (Server‑Side Template Injection) and CWE‑94 (Code Injection).

Affected Systems

The vulnerability impacts the open‑metadata:OpenMetadata product. Any deployment running a version lower than 1.11.4 is affected. Version 1.11.4 and later incorporate the necessary patch to eliminate the injection point.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, yet the EPSS score of less than 1% suggests a low likelihood of real‑world exploitation at present; the issue is not listed in CISA’s KEV catalog. Exploitation requires prior administrative access, so the risk is confined to environments where such privileges exist. An attacker would craft a malicious payload within an email template, causing the server to execute arbitrary commands on the underlying host.

Generated by OpenCVE AI on April 18, 2026 at 07:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenMetadata to version 1.11.4 or later to apply the vendor patch.
  • Restrict administrative privileges to trusted personnel and audit all custom email templates for malicious expressions.
  • Monitor server logs for suspicious template rendering or execution of system commands that may indicate exploitation.
  • Stay updated on new advisories from OpenMetadata and apply subsequent patches promptly.

Generated by OpenCVE AI on April 18, 2026 at 07:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5f29-2333-h9c7 OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE
History

Thu, 15 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
CPEs cpe:2.3:a:open-metadata:openmetadata:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-metadata
Open-metadata openmetadata
Vendors & Products Open-metadata
Open-metadata openmetadata

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
Title OpenMetadata Server-Side Template Injection (SSTI) in FreeMarker email templates that leads to RCE
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Open-metadata Openmetadata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:54:36.467Z

Reserved: 2026-01-07T05:19:12.920Z

Link: CVE-2026-22244

cve-icon Vulnrichment

Updated: 2026-01-08T15:50:26.449Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T16:16:02.647

Modified: 2026-01-15T21:14:29.580

Link: CVE-2026-22244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses