Remote Code Execution Vulnerability in OpenMetadata by OpenMetadata
CVE-2026-22244

8.5HIGH

Key Information:

Vendor

Open-metadata

Status
Openmetadata
Vendor
CVE Published:
8 January 2026

What is CVE-2026-22244?

OpenMetadata is a unified metadata platform that has a vulnerability allowing remote code execution through Server-Side Template Injection in its FreeMarker email templates. Only users with administrative privileges can exploit this vulnerability. Users are encouraged to upgrade to version 1.11.4 or later, which includes a necessary patch to mitigate this risk.

Affected Version(s)

OpenMetadata < 1.11.4

References

https://github.com/open-metadata/OpenMetadata/security/ad...
x_refsource_CONFIRM
https://github.com/open-metadata/OpenMetadata/commit/bffe...
x_refsource_MISC

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.