Platform
java
Component
openolat
Fixed in
19.1.32
20.1.19
20.2.6
CVE-2026-28228 is a Remote Code Execution (RCE) vulnerability affecting OpenOLAT, an open-source e-learning platform. This flaw allows an authenticated user with the Author role to inject malicious Velocity directives into reminder email templates. When these templates are processed, the directives are evaluated server-side, potentially leading to arbitrary code execution on the system. The vulnerability impacts versions 19.1.31, 20.1.18, and 20.2.5 and earlier.
Successful exploitation of CVE-2026-28228 grants an attacker the ability to execute arbitrary operating system commands on the OpenOLAT server with the privileges of the user running the email processing cron job. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The attack chain leverages Velocity's #set directive combined with Java reflection to instantiate classes like java.lang.ProcessBuilder, effectively bypassing security controls. The potential blast radius is significant, as a successful attacker could gain control of the entire OpenOLAT infrastructure and potentially access sensitive student data, course materials, and administrative credentials.
CVE-2026-28228 was publicly disclosed on 2026-03-30. The vulnerability's exploitation context is currently unclear, but the combination of RCE and the ability to inject code via email templates suggests a potentially high-impact attack vector. No public proof-of-concept (PoC) code has been released as of this writing. The EPSS score is pending evaluation, but the RCE nature of the vulnerability warrants careful monitoring. It is advisable to prioritize patching this vulnerability.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28228 is to upgrade OpenOLAT to a version that includes the fix, specifically versions 19.1.31, 20.1.18, or 20.2.5 or later. If upgrading immediately is not possible, consider temporarily restricting the Author role's ability to modify reminder email templates. Implement strict input validation on all user-supplied data within email templates to prevent directive injection. Web application firewalls (WAFs) configured to detect and block Velocity directive injection attempts can provide an additional layer of defense. After upgrading, verify the fix by attempting to inject a simple Velocity directive into a reminder email template and confirming that it is not executed.
Update OpenOLAT to version 19.1.31, 20.1.18, or 20.2.5, or a later version. This corrects the server-side template injection vulnerability in Velocity templates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28228 is a Remote Code Execution vulnerability in OpenOLAT e-learning platform, allowing attackers to execute commands on the server.
You are affected if you are running OpenOLAT versions 19.1.31, 20.1.18, or 20.2.5 or earlier. Check your version and upgrade immediately.
Upgrade OpenOLAT to version 19.1.31, 20.1.18, or 20.2.5 or later. Consider restricting Author role permissions as a temporary workaround.
There is no confirmed active exploitation as of the last update, but the vulnerability's potential impact warrants immediate attention and patching.
Refer to the OpenOLAT security advisories page for the latest information and official announcements regarding CVE-2026-28228.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.