Executive Summary
A critical Server-Side Template Injection (SSTI) vulnerability in Centreon's centreon-open-tickets module has been assigned CVE-2026-14453 with a CVSS score of 9.6. The flaw allows an authenticated — and potentially unauthenticated — attacker to inject malicious template directives into the message_confirm field, which is stored and later rendered without sanitization, leading to Remote Code Execution (RCE) on the underlying server.
Centreon is a widely deployed open-source IT monitoring platform used across enterprise and government environments to monitor network infrastructure, servers, and services. The Open Tickets module extends Centreon by enabling IT teams to create and manage help desk tickets directly from monitoring alerts — making it a common fixture in NOC and ITSM workflows.
Vulnerability Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14453 |
| CVSS Score | 9.6 (Critical) |
| Vulnerability Type | Server-Side Template Injection (SSTI) → Remote Code Execution |
| Affected Component | centreon-open-tickets module |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated user) |
| User Interaction | None |
| Scope | Changed |
Technical Analysis
Root Cause
The vulnerability originates in the ticket creation workflow within the Open Tickets module. When a user submits a help desk ticket, the message_confirm field — intended to hold a confirmation message shown after ticket creation — is written to the database without any sanitization or escaping of template syntax.
At render time, Centreon's backend processes this field through its Smarty-based templating engine without stripping or neutralizing template constructs. An attacker can inject Smarty template directives such as:
{php}system('id');{/php}
or the more modern payload format depending on the Smarty version:
{$smarty.template_object->smarty->registerPlugin('function','pwn','system'); {pwn cmd='id'}}
Because the stored value is rendered server-side with full template engine access, the injected code executes in the context of the web server process — typically www-data or apache — with access to the underlying filesystem and network.
Attack Flow
- Attacker authenticates to Centreon with any low-privilege account (or exploits a bypass if an unauthenticated path exists in the module's API).
- Attacker navigates to the Open Tickets module and creates or modifies a ticket rule.
- Malicious Smarty template payload is injected into the
message_confirmfield. - Payload is stored in the Centreon database without sanitization.
- When the template is rendered (either on ticket confirmation or administrative review), the Smarty engine executes the injected directives.
- Arbitrary OS commands execute on the server, enabling full system compromise.
Why CVSS 9.6?
The high score reflects:
- Network-accessible attack vector with no physical access required
- Low complexity — the payload requires no special tooling or timing
- Low privilege threshold — any authenticated user can exploit it
- Scope change — the web application context can pivot to OS-level control
- Full confidentiality, integrity, and availability impact
Affected Systems
All Centreon installations that have the Open Tickets module installed and enabled are potentially vulnerable. This includes:
- Self-hosted Centreon Community Edition
- Centreon Business Edition deployments using the module
- MSP and managed service environments that use Centreon for multi-tenant monitoring
Organizations using Centreon purely for monitoring without the Open Tickets module are not directly affected by this specific vulnerability, though other Centreon CVEs may apply.
Detection
Signs of Exploitation
Defenders should monitor for:
- Unusual process spawning from the web server user (
www-data,apache,nginx) — specifically shells or network tools. - Unexpected outbound connections from the Centreon host, particularly to unfamiliar IPs on non-standard ports.
- Database audit logs showing unusual inserts into ticket configuration tables with template-like syntax (
{,},$smarty). - Web application logs showing POST requests to ticket-related endpoints with encoded or obfuscated payloads.
- File system changes in web-accessible directories — backdoors or webshells dropped via RCE.
YARA / Snort Indicators
Look for HTTP POST bodies containing Smarty template syntax targeting Centreon endpoints:
/centreon/modules/centreon-open-tickets/
With body content matching patterns like {php}, {literal}, $smarty, or encoded variants.
Mitigation and Remediation
Immediate Actions
- Apply the vendor patch as soon as it becomes available from Centreon's official repositories and security advisories.
- Restrict access to the Open Tickets module to known trusted users and IP ranges via web server ACLs or Centreon's own access controls.
- Disable the Open Tickets module if it is not actively in use — this eliminates the attack surface entirely.
- Audit existing ticket rules for any suspicious content in
message_confirmor similar fields that contains template-like syntax.
Workarounds (Until Patch)
- WAF rule: Block POST requests containing Smarty delimiters (
{php},{$smarty) to Centreon endpoints. - Disable template rendering in the confirmation field if your Centreon version allows plain-text mode.
- Network segmentation: Ensure the Centreon web interface is not exposed to untrusted networks or the internet.
Longer-Term Hardening
- Apply output encoding and input validation at all template render points — this is a defense-in-depth principle applicable beyond this specific CVE.
- Consider enabling Centreon's audit logs to track all user activity within the monitoring platform.
- Implement least-privilege for the web server process — a compromised
www-dataaccount should not have access to sensitive network segments or credentials.
Context: Centreon and IT Monitoring Attack Surface
Centreon has been targeted by threat actors previously — notably Sandworm (APT28/Fancy Bear) was linked to attacks against French organizations using Centreon in 2021 (per ANSSI's advisory). IT monitoring platforms are high-value targets because:
- They have broad network visibility and often hold credentials for managed devices.
- They are typically trusted systems with extensive firewall exceptions.
- Compromise of a monitoring platform can facilitate lateral movement across an entire network estate.
This makes CVE-2026-14453 particularly significant in environments where Centreon manages critical infrastructure monitoring.
References
- NVD: CVE-2026-14453
- Centreon Security Advisories: Check the official Centreon GitHub and support portal for patch availability.
- ANSSI Advisory on Centreon (2021): Historical context on nation-state targeting of Centreon deployments.
- Smarty Template Engine Security: Smarty's own documentation on sandboxing and security best practices.
Timeline
| Date | Event |
|---|---|
| 2026-07-14 | CVE published to NVD with CVSS 9.6 |
| Pending | Vendor patch release |
| Pending | Proof-of-concept public disclosure |
CosmicBytez Labs will update this advisory as additional technical details and patch information become available.