External risk intelligence

Centreon Open Tickets SSTI Leading to Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-14453

Centreon is an IT infrastructure monitoring platform that is often deployed in internal network segments to monitor servers and applications. While these platforms can be exposed to the internet, they are frequently kept behind internal controls or VPNs. The requirement for authentication further limits the potential for broad, unauthenticated internet exposure.

Code Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in the Centreon centreon-open-tickets module, specifically a Server-Side Template Injection flaw. This issue allows authenticated users to execute arbitrary code on the server, potentially leading to the exposure of sensitive information and disruption of the Centreon Infrastructure Monitoring platform's availability.

  • Code execution flaw in ticket module.
  • Critical for infrastructure monitoring platform integrity.
  • Confirm relevance and exposure of monitoring systems.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access to Centreon can exploit a vulnerability in the centreon-open-tickets module. By submitting specially crafted input to the `message_confirm` field, an attacker can inject and execute arbitrary code on the server, potentially leading to the exposure of sensitive environment secrets and impacting the availability of the monitoring platform.

  • Requires authenticated user access.
  • Triggered by submitting unsanitized input.
  • Risk of code execution and secrets disclosure.

Live Threat

Current exploitation, exposure, and threat context

This critical Server-Side Template Injection vulnerability in Centreon's centreon-open-tickets module could allow an authenticated user to execute arbitrary code on the server. This may lead to the disclosure of environment secrets and impact the availability of the Centreon Infrastructure Monitoring product.

  • System secrets and availability.
  • Authenticated user injection via message field.
  • Arbitrary code execution on server.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical Server-Side Template Injection vulnerability in Centreon's centreon-open-tickets module requires immediate attention from teams managing Centreon Infra Monitoring deployments. The first practical step is to identify all instances of the affected module, determine their reachability and business criticality, and then engage the accountable platform or application owners to prioritize and plan remediation.

  • Platform and application owners should lead.
  • Verify instance exposure and criticality.
  • Plan targeted remediation or mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Centreon centreon-open-tickets module?

It is a component within the Centreon Infrastructure Monitoring platform. This platform is used by organizations to observe the health and performance of their servers and network applications. The module specifically handles ticketing workflows, allowing administrators to integrate monitoring alerts with external support or incident tracking systems.

What does Server-Side Template Injection (CWE-94) mean for CVE-2026-14453?

This vulnerability class occurs when an application embeds user input into a server-side template engine without proper validation. In this case, the engine processes the input as executable code rather than plain text. Because the template system lacks a security policy, CVE-2026-14453 allows an attacker to inject their own instructions, which the server then executes with the same permissions as the application.

How is the vulnerability in CVE-2026-14453 triggered?

An attacker triggers this by inputting specially crafted data into the 'message_confirm' field within the ticketing module. It is important to note that this is not an unauthenticated flaw; the system requires a valid user account to access and submit input to this field. Actions taken by users without an authenticated session will not activate the malicious code execution path.

Do I need to worry if my Centreon instance is not on the internet?

Halo Surface Signal indicates that while Centreon is often deployed in internal network segments, its risk depends on your specific environment. Since the vulnerability requires an authenticated user, the primary danger comes from compromised internal accounts or malicious insiders. Even if the platform is not exposed to the public internet, it remains a target if an attacker gains access to your internal network or a legitimate user account.

What are the first steps to address this CVE?

Start by identifying all instances of the centreon-open-tickets module within your infrastructure. Once you have a list of deployments, work with the platform owners to assess the business criticality of those specific systems. Engage your security or application team to plan for updates or configuration changes, prioritizing the systems that manage your most sensitive monitoring environments.

References