Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1884+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14453: Critical SSTI to RCE in Centreon Open Tickets (CVSS 9.6)
CVE-2026-14453: Critical SSTI to RCE in Centreon Open Tickets (CVSS 9.6)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-14453

CVE-2026-14453: Critical SSTI to RCE in Centreon Open Tickets (CVSS 9.6)

A critical Server-Side Template Injection vulnerability in Centreon's centreon-open-tickets module allows unauthenticated attackers to achieve Remote Code Execution via the unsanitized message_confirm field.

Dylan H.

Security Team

July 14, 2026
6 min read

Affected Products

  • Centreon centreon-open-tickets (all versions prior to patched release)
  • Centreon Web installations using the Open Tickets module

Executive Summary

A critical Server-Side Template Injection (SSTI) vulnerability in Centreon's centreon-open-tickets module has been assigned CVE-2026-14453 with a CVSS score of 9.6. The flaw allows an authenticated — and potentially unauthenticated — attacker to inject malicious template directives into the message_confirm field, which is stored and later rendered without sanitization, leading to Remote Code Execution (RCE) on the underlying server.

Centreon is a widely deployed open-source IT monitoring platform used across enterprise and government environments to monitor network infrastructure, servers, and services. The Open Tickets module extends Centreon by enabling IT teams to create and manage help desk tickets directly from monitoring alerts — making it a common fixture in NOC and ITSM workflows.


Vulnerability Details

FieldValue
CVE IDCVE-2026-14453
CVSS Score9.6 (Critical)
Vulnerability TypeServer-Side Template Injection (SSTI) → Remote Code Execution
Affected Componentcentreon-open-tickets module
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow (authenticated user)
User InteractionNone
ScopeChanged

Technical Analysis

Root Cause

The vulnerability originates in the ticket creation workflow within the Open Tickets module. When a user submits a help desk ticket, the message_confirm field — intended to hold a confirmation message shown after ticket creation — is written to the database without any sanitization or escaping of template syntax.

At render time, Centreon's backend processes this field through its Smarty-based templating engine without stripping or neutralizing template constructs. An attacker can inject Smarty template directives such as:

{php}system('id');{/php}

or the more modern payload format depending on the Smarty version:

{$smarty.template_object->smarty->registerPlugin('function','pwn','system'); {pwn cmd='id'}}

Because the stored value is rendered server-side with full template engine access, the injected code executes in the context of the web server process — typically www-data or apache — with access to the underlying filesystem and network.

Attack Flow

  1. Attacker authenticates to Centreon with any low-privilege account (or exploits a bypass if an unauthenticated path exists in the module's API).
  2. Attacker navigates to the Open Tickets module and creates or modifies a ticket rule.
  3. Malicious Smarty template payload is injected into the message_confirm field.
  4. Payload is stored in the Centreon database without sanitization.
  5. When the template is rendered (either on ticket confirmation or administrative review), the Smarty engine executes the injected directives.
  6. Arbitrary OS commands execute on the server, enabling full system compromise.

Why CVSS 9.6?

The high score reflects:

  • Network-accessible attack vector with no physical access required
  • Low complexity — the payload requires no special tooling or timing
  • Low privilege threshold — any authenticated user can exploit it
  • Scope change — the web application context can pivot to OS-level control
  • Full confidentiality, integrity, and availability impact

Affected Systems

All Centreon installations that have the Open Tickets module installed and enabled are potentially vulnerable. This includes:

  • Self-hosted Centreon Community Edition
  • Centreon Business Edition deployments using the module
  • MSP and managed service environments that use Centreon for multi-tenant monitoring

Organizations using Centreon purely for monitoring without the Open Tickets module are not directly affected by this specific vulnerability, though other Centreon CVEs may apply.


Detection

Signs of Exploitation

Defenders should monitor for:

  • Unusual process spawning from the web server user (www-data, apache, nginx) — specifically shells or network tools.
  • Unexpected outbound connections from the Centreon host, particularly to unfamiliar IPs on non-standard ports.
  • Database audit logs showing unusual inserts into ticket configuration tables with template-like syntax ({, }, $smarty).
  • Web application logs showing POST requests to ticket-related endpoints with encoded or obfuscated payloads.
  • File system changes in web-accessible directories — backdoors or webshells dropped via RCE.

YARA / Snort Indicators

Look for HTTP POST bodies containing Smarty template syntax targeting Centreon endpoints:

/centreon/modules/centreon-open-tickets/

With body content matching patterns like {php}, {literal}, $smarty, or encoded variants.


Mitigation and Remediation

Immediate Actions

  1. Apply the vendor patch as soon as it becomes available from Centreon's official repositories and security advisories.
  2. Restrict access to the Open Tickets module to known trusted users and IP ranges via web server ACLs or Centreon's own access controls.
  3. Disable the Open Tickets module if it is not actively in use — this eliminates the attack surface entirely.
  4. Audit existing ticket rules for any suspicious content in message_confirm or similar fields that contains template-like syntax.

Workarounds (Until Patch)

  • WAF rule: Block POST requests containing Smarty delimiters ({php}, {$smarty) to Centreon endpoints.
  • Disable template rendering in the confirmation field if your Centreon version allows plain-text mode.
  • Network segmentation: Ensure the Centreon web interface is not exposed to untrusted networks or the internet.

Longer-Term Hardening

  • Apply output encoding and input validation at all template render points — this is a defense-in-depth principle applicable beyond this specific CVE.
  • Consider enabling Centreon's audit logs to track all user activity within the monitoring platform.
  • Implement least-privilege for the web server process — a compromised www-data account should not have access to sensitive network segments or credentials.

Context: Centreon and IT Monitoring Attack Surface

Centreon has been targeted by threat actors previously — notably Sandworm (APT28/Fancy Bear) was linked to attacks against French organizations using Centreon in 2021 (per ANSSI's advisory). IT monitoring platforms are high-value targets because:

  • They have broad network visibility and often hold credentials for managed devices.
  • They are typically trusted systems with extensive firewall exceptions.
  • Compromise of a monitoring platform can facilitate lateral movement across an entire network estate.

This makes CVE-2026-14453 particularly significant in environments where Centreon manages critical infrastructure monitoring.


References

  • NVD: CVE-2026-14453
  • Centreon Security Advisories: Check the official Centreon GitHub and support portal for patch availability.
  • ANSSI Advisory on Centreon (2021): Historical context on nation-state targeting of Centreon deployments.
  • Smarty Template Engine Security: Smarty's own documentation on sandboxing and security best practices.

Timeline

DateEvent
2026-07-14CVE published to NVD with CVSS 9.6
PendingVendor patch release
PendingProof-of-concept public disclosure

CosmicBytez Labs will update this advisory as additional technical details and patch information become available.

#Vulnerability#CVE#SSTI#RCE#Centreon#NVD

Related Articles

CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

A critical path traversal vulnerability in FileRise before 3.16.0 allows unauthenticated attackers to write arbitrary files and completely compromise...

5 min read

CVE-2026-7515: BetterDocs Pro WordPress Plugin — Unauthenticated Local File Inclusion

A critical Local File Inclusion vulnerability in the BetterDocs Pro WordPress plugin (up to v3.8.0) allows unauthenticated attackers to include and...

6 min read

CVE-2026-6933: Unauthenticated RCE in Premmerce Dev Tools WordPress Plugin

A high-severity unauthenticated remote code execution vulnerability (CVSS 8.8) in Premmerce Dev Tools for WordPress allows attackers to execute arbitrary...

3 min read
Back to all Security Alerts