Volerion logoVolerion
Volerion logoVolerion

OpenMetadata Remote Code Execution Vulnerability via Server-Side Template Injection in FreeMarker Email Templates

Vulnerability

A remote code execution vulnerability has been identified in OpenMetadata versions prior to 1.11.4. This issue arises from server-side template injection in FreeMarker email templates, allowing an attacker with administrative privileges to execute arbitrary code. The vulnerability has been patched in version 1.11.4.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where OpenMetadata is running, with the executed commands running as the user under which the OpenMetadata server process operates.

Reproduction

To reproduce this vulnerability, first deploy OpenMetadata version 1.11.2. After the application is running, obtain an admin JWT token. Then, identify a target email template and inject a payload that exploits the server-side template injection vulnerability. Once the payload is injected, trigger the email notification that uses the modified template. The injected code will be executed on the server, confirming the exploitation of the vulnerability.

Remediation

Users can update to OpenMetadata version 1.11.4 or later, where this vulnerability has been patched.

Added: Jan 8, 2026, 4:25 PM
Updated: Jan 8, 2026, 6:29 PM

Vulnerability Rating

Custom Algorithm
spread
0.8
impact
10.0
exploitability
6.1
remediation
7.7
relevance
1.8
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.