CVE-2026-27961
Received Received - Intake
Server-Side Template Injection in Agenta API Server Prior to

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage β€” it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27961
EUVD
EUVD-2026-8817
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agentatech agenta to 0.86.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27961 is a high-severity Server-Side Template Injection (SSTI) vulnerability in the Agenta API server affecting versions prior to 0.86.8.

The vulnerability arises because the API server uses unsandboxed Jinja2 template rendering within its evaluator workflows, allowing an authenticated user to supply malicious template code.

This malicious template code can execute arbitrary Python code remotely on the server, leading to full remote code execution (RCE).

The vulnerable code is in the SDK package but only affects self-hosted or managed Agenta platform deployments, not standalone SDK usage.

Impact Analysis

This vulnerability allows any authenticated user, not just administrators, to remotely execute arbitrary code on the Agenta API server.

  • Attackers can read and write files on the server filesystem.
  • Attackers can access environment variables and secrets stored within the server container.
  • The vulnerability has a high impact on confidentiality, integrity, and availability of the server.

Because the attack complexity is low and only low privileges (authenticated user) are required, this vulnerability poses a significant risk to affected deployments.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your Agenta API server is running a vulnerable version (prior to 0.86.8) and if it is processing Jinja2 templates unsandboxed in evaluator workflows.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is exploited by sending malicious Jinja2 template payloads via authenticated API requests, monitoring API server logs for suspicious template_format parameters set to "jinja2" and unusual template payloads can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can check the installed Agenta version with a command like:'}, {'type': 'list_item', 'content': 'agenta --version'}, {'type': 'paragraph', 'content': 'To detect active exploitation attempts, you might search API server logs for the string "template_format: \\"jinja2\\"" or suspicious Jinja2 expressions such as "{{ lipsum.__globals__[\'os\'].popen(\'id\').read() }}".'}, {'type': 'paragraph', 'content': 'Example command to search logs (assuming logs are in /var/log/agenta/api.log):'}, {'type': 'list_item', 'content': 'grep -E \'template_format:\\s*"jinja2"|\\{\\{.*\\}\\}\' /var/log/agenta/api.log'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual process executions or network activity from the API server host may indicate exploitation.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to upgrade the Agenta platform to version 0.86.8 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting or disabling the use of Jinja2 template rendering in evaluator workflows, especially the "template_format: \\"jinja2\\"" option.'}, {'type': 'paragraph', 'content': 'Limit authenticated user permissions to reduce the risk of exploitation, as any authenticated user can exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'Monitor API server logs for suspicious activity and consider temporarily disabling or restricting access to the API server until the patch can be applied.'}, {'type': 'paragraph', 'content': 'Ensure that the API server environment is isolated and that sensitive secrets and environment variables are protected to minimize impact in case of exploitation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27961. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart