CVE-2026-27961
Server-Side Template Injection in Agenta API Server Prior to
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agentatech | agenta | to 0.86.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27961 is a high-severity Server-Side Template Injection (SSTI) vulnerability in the Agenta API server affecting versions prior to 0.86.8.
The vulnerability arises because the API server uses unsandboxed Jinja2 template rendering within its evaluator workflows, allowing an authenticated user to supply malicious template code.
This malicious template code can execute arbitrary Python code remotely on the server, leading to full remote code execution (RCE).
The vulnerable code is in the SDK package but only affects self-hosted or managed Agenta platform deployments, not standalone SDK usage.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user, not just administrators, to remotely execute arbitrary code on the Agenta API server.
- Attackers can read and write files on the server filesystem.
- Attackers can access environment variables and secrets stored within the server container.
- The vulnerability has a high impact on confidentiality, integrity, and availability of the server.
Because the attack complexity is low and only low privileges (authenticated user) are required, this vulnerability poses a significant risk to affected deployments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your Agenta API server is running a vulnerable version (prior to 0.86.8) and if it is processing Jinja2 templates unsandboxed in evaluator workflows.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is exploited by sending malicious Jinja2 template payloads via authenticated API requests, monitoring API server logs for suspicious template_format parameters set to "jinja2" and unusual template payloads can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can check the installed Agenta version with a command like:'}, {'type': 'list_item', 'content': 'agenta --version'}, {'type': 'paragraph', 'content': 'To detect active exploitation attempts, you might search API server logs for the string "template_format: \\"jinja2\\"" or suspicious Jinja2 expressions such as "{{ lipsum.__globals__[\'os\'].popen(\'id\').read() }}".'}, {'type': 'paragraph', 'content': 'Example command to search logs (assuming logs are in /var/log/agenta/api.log):'}, {'type': 'list_item', 'content': 'grep -E \'template_format:\\s*"jinja2"|\\{\\{.*\\}\\}\' /var/log/agenta/api.log'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual process executions or network activity from the API server host may indicate exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to upgrade the Agenta platform to version 0.86.8 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting or disabling the use of Jinja2 template rendering in evaluator workflows, especially the "template_format: \\"jinja2\\"" option.'}, {'type': 'paragraph', 'content': 'Limit authenticated user permissions to reduce the risk of exploitation, as any authenticated user can exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'Monitor API server logs for suspicious activity and consider temporarily disabling or restricting access to the API server until the patch can be applied.'}, {'type': 'paragraph', 'content': 'Ensure that the API server environment is isolated and that sensitive secrets and environment variables are protected to minimize impact in case of exploitation.'}] [1]