CVE-2026-22244
Published: 08 January 2026
Summary
CVE-2026-22244 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Open-Metadata Openmetadata. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22244 is a remote code execution vulnerability affecting OpenMetadata, a unified metadata platform. Versions prior to 1.11.4 are vulnerable due to Server-Side Template Injection (SSTI) in FreeMarker email templates, mapped to CWEs-1336 and CWE-94.
An attacker must possess administrative privileges to exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables remote code execution, resulting in high impacts to confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Mitigation is available in OpenMetadata version 1.11.4, which contains a patch. Details are provided in the GitHub security advisory GHSA-5f29-2333-h9c7 and the patching commit bffe7c45807763f9b682021d4211c478d2a08bb3.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1673
Vulnerability details
OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in public-facing OpenMetadata server directly enables remote exploitation for code execution (T1190); resulting RCE facilitates arbitrary command/script execution on the host (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires application of the vendor patch in OpenMetadata 1.11.4 that eliminates the FreeMarker SSTI flaw.
Mandates validation and sanitization of all user-supplied template content to block server-side template injection leading to RCE.
Restricts administrative accounts to the minimum privileges needed, limiting the ability of an admin to reach and abuse the vulnerable email-template function.