CVE-2026-22244 – OpenMetadata versions before 1.11.4 contain a S... (How to Fix)

Q: What is the severity of CVE-2026-22244?

CVE-2026-22244 has a CVSS score of 7.2 (HIGH). OpenMetadata versions before 1.11.4 contain a Server-Side Template Injection vulnerability in FreeMarker email templates that allows remote code execution. Attackers with administrative privileges can exploit this to execute arbitrary code on affected systems. This affects all deployments running vulnerable OpenMetadata versions.

📋 TL;DR

OpenMetadata versions before 1.11.4 contain a Server-Side Template Injection vulnerability in FreeMarker email templates that allows remote code execution. Attackers with administrative privileges can exploit this to execute arbitrary code on affected systems. This affects all deployments running vulnerable OpenMetadata versions.

💻 Affected Systems

Products:

OpenMetadata

Versions: All versions prior to 1.11.4

Operating Systems: All platforms running OpenMetadata

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative privileges to exploit. All deployments with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Openmetadata by Open Metadata

View all CVEs affecting Openmetadata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the OpenMetadata server, potentially leading to data theft, lateral movement, or deployment of persistent backdoors.

🟠

Likely Case

Privileged attacker executes arbitrary commands to steal sensitive metadata, modify configurations, or disrupt service availability.

🟢

If Mitigated

Limited impact due to administrative privilege requirement and proper access controls, potentially only affecting the OpenMetadata application itself.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative access but is straightforward once authenticated. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.4

Vendor Advisory: https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7

Restart Required: Yes

Instructions:

1. Backup your OpenMetadata configuration and data. 2. Stop the OpenMetadata service. 3. Upgrade to version 1.11.4 or later. 4. Restart the service. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative accounts to only trusted users and implement strong authentication controls.

Network Segmentation

all

Isolate OpenMetadata servers from sensitive networks and implement strict firewall rules.

🧯 If You Can't Patch

Implement strict access controls and monitor all administrative activity
Deploy network-based intrusion detection systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check OpenMetadata version via web interface or configuration files. Versions below 1.11.4 are vulnerable.

Check Version:

Check OpenMetadata UI or configuration files for version information

Verify Fix Applied:

Confirm version is 1.11.4 or higher and test email template functionality to ensure no unexpected behavior.

📡 Detection & Monitoring

Log Indicators:

Unusual administrative login patterns
Suspicious FreeMarker template processing errors
Unexpected system command execution

Network Indicators:

Unusual outbound connections from OpenMetadata server
Suspicious payloads in HTTP requests to template endpoints

SIEM Query:

source="openmetadata" AND (event="template_processing" OR event="admin_login") AND status="error"

📊 Metadata

CVE ID: CVE-2026-22244

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

EPSS Score: 0.41% exploit probability (60.5th percentile)

Published: January 8, 2026

Last Updated: January 15, 2026

🔗 References

https://github.com/open-metadata/OpenMetadata/commit/bffe7c45807763f9b682021d4211c478d2a08bb3 Patch
https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7 Exploit,Vendor Advisory
https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22244, you might also want to check these: