CVE-2026-28228: OpenOlat RCE — Patch Guide

Overview

A server-side template injection (SSTI) vulnerability, tracked as CVE-2026-28228, has been identified in the OpenOlat e-learning platform. This high-severity flaw (CVSS: 8.8) allows authenticated users with the ‘Author’ role to execute arbitrary operating system commands on the underlying server.

Vulnerability Details

OpenOlat versions prior to 19.1.31, 20.1.18, and 20.2.5 do not properly sanitize user input in reminder email templates. An attacker with Author privileges can inject malicious Velocity template language directives. When the reminder is processed-either manually by a user or automatically by a daily cron job-the server evaluates these directives. By chaining these directives with Java reflection, an attacker can instantiate dangerous classes like java.lang.ProcessBuilder to run any system command.

The attack is network-based, requires low-complexity efforts, and needs no user interaction beyond the initial authentication with low-privileged Author rights.

Impact

Successful exploitation grants an attacker command execution with the privileges of the Tomcat application server process. In many deployments, especially containerized ones, this process runs with root or high-level system privileges. This could lead to a complete compromise of the host server, enabling data theft, deployment of ransomware, or use of the system as a foothold for further network attacks. Given OpenOlat’s use in educational and corporate environments, sensitive personal data and proprietary teaching materials are at direct risk. For context on the damage caused by such breaches, you can review historical incidents in our breach reports.

Remediation and Mitigation

The OpenOlat maintainers have released patched versions that address this vulnerability. Affected users must upgrade immediately to one of the following fixed releases:

• Version 19.1.31
• Version 20.1.18
• Version 20.2.5

No viable workarounds exist. If immediate patching is not possible, administrators should audit user accounts with the Author role and consider temporarily restricting reminder functionality as a stopgap measure, though this may impact platform usability. Continuously monitor your application logs for suspicious activity related to reminder creation or execution.

Security Insight

This vulnerability highlights the persistent danger of template injection in feature-rich web applications, a class of flaw often overlooked compared to more common SQL or command injections. It mirrors incidents in other educational platforms where overly permissive author roles become a primary attack vector. The exploit chain-from a simple text field to full system compromise-demonstrates how modern attack frameworks can weaponize seemingly benign application features, underscoring the need for rigorous input validation across all user-facing functions. Stay informed on evolving threats by following our security news.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs