CVE-2026-22244

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-22244

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22244.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22244

Aliases

GHSA-5f29-2333-h9c7

Published

2026-01-08T15:12:51.103Z

Modified

2026-01-17T05:42:51.799212Z

Severity

8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P CVSS Calculator

Summary

OpenMetadata Server-Side Template Injection (SSTI) in FreeMarker email templates that leads to RCE

Details

OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.

Database specific

{
    "cwe_ids": [
        "CWE-1336"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22244.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/open-metadata/openmetadata

Affected ranges

Type: GIT
Repo: https://github.com/open-metadata/openmetadata
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

adbe4431db9c861987bca681a156cb5062df0c84

Affected versions

0.*

0.3.0-SNAPSHOT.pre2

0.3.1-release

0.4.0-pre

0.8.1-release

1.*

1.0.0-alpha-release

1.11.0-release

1.11.1-release

1.11.2-release

1.11.3-release

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22244.json"

vanir_signatures

[
    {
        "deprecated": false,
        "id": "CVE-2026-22244-0adbf009",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "51834898959253789355240757164876697339",
                "270273916587880431979287235350556209338",
                "16054123665087782559531887014602331552"
            ]
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1110/Migration.java"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-0bfae92e",
        "digest": {
            "length": 826.0,
            "function_hash": "8388154987470262310528445150254650542"
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1110/MigrationUtil.java",
            "function": "insertV000RecordIfMissing"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-16a92a53",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "51834898959253789355240757164876697339",
                "270273916587880431979287235350556209338",
                "16054123665087782559531887014602331552"
            ]
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1110/Migration.java"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-2754a96b",
        "digest": {
            "length": 203.0,
            "function_hash": "4309299065380164269141020178352091165"
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/api/MigrationWorkflow.java",
            "function": "loadMigrations"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-2fcb26ec",
        "digest": {
            "length": 67.0,
            "function_hash": "24100414270304800662238845985442255859"
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1110/Migration.java",
            "function": "runDataMigration"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-3d4ce33d",
        "digest": {
            "length": 855.0,
            "function_hash": "78837950822964951051698073906247053724"
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/api/MigrationProcessImpl.java",
            "function": "performSqlExecutionAndUpdate"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-3f8e4ada",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "207353529307531116374155435662880313209",
                "8347472063486688851304595505580775936",
                "159558494117612632381898256593444304252",
                "140803849387440476196472558068414246068",
                "54809524354804301556346442897086171574",
                "114361491244056298469316227474401899496",
                "72960051209501277609131411650708134484",
                "254918490099152812517957068554686834333",
                "339629857818599115936950869465698742007",
                "141569642021618104411584849649249438752",
                "169359039232940737125554568768356925475",
                "213087554598934754004788646431984768553",
                "93262996845657224280897757484717895343",
                "327020239812410591517676109234502900828",
                "164804446338975010974002259271708944295",
                "147272635611308764091589484640694008382",
                "29454867516751228872241007287945405754"
            ]
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/api/MigrationWorkflow.java"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-417d7c5b",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "66206583040044076972708118242157555820",
                "136276039634073277601854266903756671949",
                "184959558505018931387251751202034164303",
                "146606857118698974804471992174221966964"
            ]
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/api/MigrationProcessImpl.java"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-5eca3d58",
        "digest": {
            "length": 1790.0,
            "function_hash": "314013167972458661612259257987131502801"
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1110/MigrationUtil.java",
            "function": "migrateFlywayHistoryRecords"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-72cc245e",
        "digest": {
            "length": 67.0,
            "function_hash": "24100414270304800662238845985442255859"
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1110/Migration.java",
            "function": "runDataMigration"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-9d8cf272",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "148386087734865396118622697052228601470",
                "247753924226171952643177967719877476169",
                "84366447983357170152446443023054460279",
                "20471808833037620582276213183994287270",
                "127654607866139121475909995453103169083",
                "73853675552554058735158054711240345710",
                "68757503621053631143699742475603455425",
                "74308725997918843773242453844637420778",
                "311651507842724901405285484751715556738",
                "319390332561128587812777651330712112425"
            ]
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1114/MigrationUtil.java"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-b21f7a9c",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "68716287472831296899750015177699462292",
                "268341032679781111251555183748625483545",
                "219926343986811918319122201641128781124",
                "246249721355207125858555596365064380046",
                "13860908945162995646899491943270544634",
                "339145792198720485603658993028724950239",
                "261313096008110567320528498720542900600",
                "327440000111412121252142477080586951532",
                "285166563845716364110760873285970917150",
                "256881461787249913608667622390785166308",
                "328670520881604060141115119107846243724",
                "188782032522861787778474969720024050013",
                "141057140995643092308493051404868380009",
                "95998712295120759027143875604856203707",
                "42588412192914000175325225237829246481",
                "297168827576546284572423898614606805732",
                "202643702559483305718463532958738277311",
                "122300469108299112847469157192060490078",
                "322430747429928988968920077819267674731",
                "258887493420613319562000414108862630874",
                "310054494121263785360709305883865110249",
                "313200555570402078514832923746765967701",
                "71201372745114131925943048661877814418",
                "82990646233078223755891749426961499728",
                "167162617226200594620084625772385929105",
                "219539866824754635492757792740725652346",
                "45825425849304619331697054934508138354",
                "107538167045146554568083078193644424688",
                "39837992327610440400280976625141047195",
                "78521297348304461992829096172695346291",
                "142532480254153117743438400504156900540",
                "106219990706570736915725466397568615850",
                "166382334914725419496446183774228027983",
                "166278358800975348676778756164541175936",
                "65288599983567825992316911066307873107",
                "287341221951005777776244039251988136099",
                "46699937900460366108966137725330478006",
                "248785616558447593728431156257321161487",
                "19900085459757486688408294745489671504",
                "146858738701739336872262570829171609737",
                "111256160525847768419551218683828807912",
                "332190830292397749122666272660086785931",
                "185773361026420993376374368739089459584",
                "284761129750209118337809603962895584594",
                "197772140852062371296219292849534432351",
                "101651537243975360854997034813101453744",
                "25710384488708518540098364654328221125",
                "38956896895390641105643509603515867787",
                "137797281769059287621964436677058416302",
                "50664716750112846062436396424060359917",
                "135400638045937149055123582457978233859",
                "239528223042771930430907811164239175479",
                "317624163556517505185628813144739706894",
                "65459303014943262653305594739263392410",
                "31585064015196463234898656816757083996",
                "57681192182648121225023134664864605292",
                "318865885125820445215541310149555858376",
                "177829977784505587789890588225866170221",
                "152868930654041742249034385487566447584",
                "118228527867578039643451141748309562419",
                "303774551290534305734549651817131018515",
                "165973629264958259176556682627881644851",
                "316487385851671076857045725535982431343",
                "118957982589049358367339265450262171216"
            ]
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1110/MigrationUtil.java"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-b8b2f274",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "129563673631605485691696809390090125404",
                "76258668123272534527094403198501953462",
                "172603327682428392174674568029599873571"
            ]
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/util/OpenMetadataOperations.java"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-bc26e203",
        "digest": {
            "length": 787.0,
            "function_hash": "20303503210009068736088909140385487685"
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1110/MigrationUtil.java",
            "function": "migrateFlywayHistory"
        }
    },
    {
        "deprecated": false,
        "id": "CVE-2026-22244-c24e6e92",
        "digest": {
            "length": 706.0,
            "function_hash": "64296000783816469868838673352525043901"
        },
        "source": "https://github.com/open-metadata/openmetadata/commit/adbe4431db9c861987bca681a156cb5062df0c84",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1110/MigrationUtil.java",
            "function": "hasFlywayDataAlreadyMigrated"
        }
    }
]