CVE-2026-28228 Overview
CVE-2026-28228 is a Server-Side Template Injection (SSTI) vulnerability in OpenOlat, an open-source web-based e-learning platform used for teaching, learning, assessment, and communication. The vulnerability allows authenticated users with the Author role to inject malicious Velocity template directives into reminder email templates. When these templates are processed—either through manual triggering or automated daily cron jobs—the injected directives execute server-side, enabling arbitrary command execution with the privileges of the Tomcat application server process.
Critical Impact
Authenticated attackers can achieve full remote code execution on the underlying server, potentially compromising all hosted course data, user credentials, and the entire learning management infrastructure. Containerized deployments running as root face the highest risk of complete system compromise.
Affected Products
- Frentix OpenOlat versions prior to 19.1.31
- Frentix OpenOlat versions prior to 20.1.18
- Frentix OpenOlat versions prior to 20.2.5
Discovery Timeline
- 2026-03-30 - CVE-2026-28228 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-28228
Vulnerability Analysis
This vulnerability represents a classic Server-Side Template Injection (SSTI) attack chain targeting the Apache Velocity templating engine integrated within OpenOlat's reminder notification system. The flaw stems from insufficient input validation and sanitization of user-controlled content within email reminder templates that are accessible to users with the Author role.
The attack exploits the fact that the Velocity template engine evaluates directives embedded within templates at runtime. By injecting crafted Velocity Template Language (VTL) syntax, an attacker can break out of the intended template context and execute arbitrary operations. The exploitation chain typically leverages Velocity's #set directive combined with Java reflection APIs to gain access to dangerous runtime classes.
Through careful manipulation of Velocity's object model, attackers can instantiate Java classes such as java.lang.ProcessBuilder or java.lang.Runtime, which provide direct access to operating system command execution capabilities. The commands execute with the privileges of the Tomcat application server process, which in many containerized deployments operates as root—significantly amplifying the impact of successful exploitation.
Root Cause
The root cause of CVE-2026-28228 lies in the improper handling of user input within the reminder email template functionality. The application fails to implement adequate input validation or output encoding when processing author-supplied template content before passing it to the Velocity template engine. This allows Velocity directives and expressions to be evaluated as executable code rather than being treated as literal text content.
The vulnerability is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine), which specifically addresses scenarios where applications fail to properly sanitize or escape user input that will be processed by template engines.
Attack Vector
The attack requires network access and valid authentication with Author-level privileges within the OpenOlat platform. The attacker crafts a malicious reminder email template containing Velocity directives that leverage Java reflection to instantiate dangerous classes. When the reminder processing occurs—either through manual triggering by an administrator or via the platform's daily scheduled cron job—the template engine evaluates the malicious payload.
The exploitation mechanism chains multiple Velocity capabilities: the #set directive assigns values to variables, while reflection-based object instantiation (accessible through Velocity's context) enables the attacker to create instances of ProcessBuilder or similar classes. These objects are then invoked to execute arbitrary operating system commands, achieving Remote Code Execution on the hosting server.
Detection Methods for CVE-2026-28228
Indicators of Compromise
- Unusual reminder email templates containing Velocity directives such as #set, #evaluate, or references to Java reflection classes like Class.forName, ProcessBuilder, or Runtime
- Log entries showing template parsing errors or unexpected Java class instantiation within reminder processing workflows
- Unexpected outbound network connections or process spawning from the Tomcat/OpenOlat service user
- New or modified reminder templates created by Author accounts that contain encoded or obfuscated content
Detection Strategies
- Implement application-level logging to capture and flag any reminder templates containing Velocity directives or Java class references
- Deploy Web Application Firewall (WAF) rules to detect template injection payloads in form submissions and API requests to OpenOlat endpoints
- Monitor process execution chains from the Tomcat service for unusual child processes such as /bin/bash, /bin/sh, or common reconnaissance utilities
- Review audit logs for Author accounts creating or modifying reminder templates with suspicious content patterns
Monitoring Recommendations
- Enable verbose logging for the reminder notification subsystem to capture template content and processing events
- Configure host-based intrusion detection to alert on command execution from the Tomcat service account
- Implement file integrity monitoring on OpenOlat configuration and template storage directories
- Establish baseline behavior for the application server and alert on deviations in network connections, file access, or process creation
How to Mitigate CVE-2026-28228
Immediate Actions Required
- Upgrade OpenOlat immediately to patched versions 19.1.31, 20.1.18, or 20.2.5 depending on your installed branch
- Review all existing reminder email templates for suspicious Velocity directives or Java class references
- Audit Author account activity and permissions, restricting template modification capabilities where possible
- Ensure containerized deployments do not run the Tomcat process as root; apply the principle of least privilege
Patch Information
Frentix has addressed this vulnerability in OpenOlat versions 19.1.31, 20.1.18, and 20.2.5. Organizations should upgrade to the appropriate patched version for their deployment branch. For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory GHSA-55qg-vvgj-ffh4.
Workarounds
- Restrict Author role assignments to trusted personnel only until the patch can be applied
- Implement input validation at the application gateway or WAF layer to block template injection patterns
- If feasible, disable or remove the reminder email template customization feature temporarily
- Run OpenOlat containers with a non-root user and apply strict seccomp/AppArmor profiles to limit exploitation impact
# Example: Running OpenOlat container with reduced privileges
docker run -u 1000:1000 \
--security-opt=no-new-privileges:true \
--cap-drop=ALL \
frentix/openolat:20.2.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
