CVE-2026-31864
Server-Side Template Injection in JumpServer Applet Uploads
Publication date: 2026-03-13
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fit2cloud | jumpserver | to 3.10.22 (exc) |
| fit2cloud | jumpserver | From 4.0.0 (inc) to 4.10.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31864 is a Server-Side Template Injection (SSTI) vulnerability in JumpServer, an open source bastion host and security audit system.
The vulnerability exists in the Applet and VirtualApp upload functionality, specifically when processing user-uploaded YAML configuration files (manifest.yml) inside ZIP packages.
The issue arises because JumpServer uses Jinja2 template rendering without sandbox restrictions to process these YAML files, allowing malicious template payloads to execute arbitrary code.
Only users with administrative privileges (Applet or Virtual Application Management permissions) can exploit this vulnerability by uploading a specially crafted manifest.yml file containing malicious Jinja2 template code.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to execute arbitrary code within the JumpServer Core container.
This can lead to theft of sensitive information from all managed hosts or manipulation of the database.
Because the attacker needs administrative privileges, the risk is limited to users with Applet or Virtual Application Management permissions, but the impact on confidentiality, integrity, and availability is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring the upload API endpoints for suspicious activity, especially uploads of Applet or VirtualApp ZIP packages containing malicious manifest.yml files.
Specifically, you should audit users with administrative privileges who have Applet or Virtual Application Management permissions, as exploitation requires these privileges.
While no explicit commands are provided, you can monitor HTTP POST requests to the following endpoints for unusual or unexpected uploads:
- POST /api/v1/terminal/applets/upload/
- POST /api/v1/terminal/virtual-apps/upload/
You may use network monitoring tools or web server logs to filter and analyze requests to these endpoints for suspicious payloads, such as manifest.yml files containing Jinja2 template expressions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade JumpServer to patched versions v3.10.22, v4.10.16, or later, where the vulnerability has been fixed by sandboxing the Jinja2 template rendering environment.
If immediate upgrade is not possible, you should:
- Restrict access to Applet and VirtualApp management permissions to trusted administrators only.
- Monitor the upload API endpoints for suspicious or unauthorized uploads.
- Audit users with application management privileges regularly to detect any unauthorized activity.