CVE-2026-28228
Server-Side Template Injection in OpenOlat Enables RCE
Publication date: 2026-03-30
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frentix | openolat | to 19.1.31 (exc) |
| frentix | openolat | From 20.0.0 (inc) to 20.1.18 (exc) |
| frentix | openolat | From 20.2.0 (inc) to 20.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenOlat, an open source web-based e-learning platform. Before certain patched versions, an authenticated user with the Author role could inject Velocity directives into a reminder email template. When the reminder email is processed, these injected directives are evaluated on the server side. By exploiting Velocity's #set directive combined with Java reflection, an attacker can instantiate arbitrary Java classes such as java.lang.ProcessBuilder and execute operating system commands with the privileges of the Tomcat process running the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with the Author role to execute arbitrary operating system commands on the server hosting OpenOlat by injecting and evaluating malicious Velocity directives in reminder email templates. This can lead to unauthorized access, data manipulation, or system compromise.
Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability of systems.
Specifically, if an attacker exploits this vulnerability to access or manipulate personal data stored or processed by OpenOlat, it could result in violations of data protection requirements, leading to legal and regulatory consequences.
How can this vulnerability impact me? :
This vulnerability allows an attacker with Author role access to execute arbitrary operating system commands on the server hosting OpenOlat. Since the commands run with the privileges of the Tomcat process, which is often root in containerized deployments, this can lead to full system compromise, unauthorized data access, data modification, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenOlat to one of the patched versions: 19.1.31, 20.1.18, or 20.2.5.
This will prevent authenticated users with the Author role from injecting malicious Velocity directives into reminder email templates, thereby avoiding server-side command execution.