Executive Summary

CVE-2026-22244 is a critical Remote Code Execution (RCE) vulnerability in OpenMetadata versions prior to 1.11.4. It arises from Server-Side Template Injection (SSTI) in FreeMarker email templates, where user-controlled template content is rendered without proper security restrictions. An attacker with administrative privileges can modify email templates to inject malicious FreeMarker code that executes arbitrary system commands on the server when the template is rendered. This occurs because the application does not sandbox the FreeMarker templates or disable dangerous built-ins, allowing arbitrary class instantiation and reflection. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full arbitrary command execution on the server hosting OpenMetadata. An attacker with Admin privileges can execute system commands, escalate privileges, exfiltrate sensitive data such as database credentials, API keys, and JWT keys, and establish persistent access via reverse shells. This compromises confidentiality, integrity, and availability of the system, potentially leading to data breaches, reputation damage, and further attacks through OpenMetadata's extensive connectors. [2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability threatens compliance with common standards and regulations such as GDPR, SOC2, and HIPAA by exposing sensitive data and enabling unauthorized access. Exploitation can lead to data breaches involving personal and protected health information, violating regulatory requirements for data protection and privacy, and resulting in legal and financial consequences. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your OpenMetadata instance is running a vulnerable version prior to 1.11.4 and if any email templates have been modified with malicious FreeMarker code. Specifically, you can look for suspicious PATCH requests to the API endpoint `/api/v1/docStore/{templateId}` that modify email templates. You can also search your database for FreeMarker templates containing suspicious payloads such as `<#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}`. Network monitoring tools can be used to detect unusual command execution patterns or outbound connections indicative of exploitation. There are no explicit commands provided in the resources, but you can query your database for templates containing the string `freemarker.template.utility.Execute` or monitor API logs for PATCH requests to `/api/v1/docStore/` endpoints. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenMetadata to version 1.11.4 or later, which contains the patch fixing this vulnerability. The fix involves updating the FreeMarker template instantiation in `DefaultTemplateProvider.java` to use a sandboxed configuration that enables `TemplateClassResolver.SAFER_RESOLVER`, disables the `?api` built-in, disables classic compatibility, and restricts template loading to safe sources. Until you can upgrade, restrict administrative access to trusted users only, monitor for suspicious template modifications, and consider disabling email notifications that render templates. Applying the official patch from the OpenMetadata GitHub repository is recommended. [1, 2]

Useful 0 Not Useful 0