Can you explain this vulnerability to me?

CVE-2026-34172 is a server-side template injection vulnerability in the ChatWorkflow.chat() method of the giskard-agents Python package.

This method takes a string argument and passes it directly as a Jinja2 template source to a non-sandboxed Jinja2 Environment, which means the input is executed as a template rather than treated as plain text.

Because the environment is not sandboxed, an attacker can use Jinja2 class traversal techniques to execute arbitrary code remotely on the server by crafting malicious input.

For example, attackers can access Python internals and execute system commands like os.popen through the template syntax.

This vulnerability affects versions up to 0.3.3 and between 1.0.1a1 and 1.0.2a1 of giskard-agents and has been fixed in versions 0.3.4 and 1.0.2b1 by using Jinja2's SandboxedEnvironment.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker to perform full remote code execution (RCE) on the server hosting any application that uses the vulnerable ChatWorkflow.chat() method and passes user input directly to it.

An attacker can execute arbitrary system commands, potentially leading to data theft, system compromise, or further attacks within the network.

The impact is severe because it gives attackers control over the server environment, which can result in loss of confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing if the ChatWorkflow.chat(message) method processes user input as a Jinja2 template without sandboxing, allowing template injection and remote code execution.

A practical detection method is to send a specially crafted input string that attempts Jinja2 class traversal, such as {{ ''.__class__.__mro__[1].__subclasses__() }}, to the vulnerable chat method and observe if the server executes it or returns related output.

For example, you can try sending a payload that executes a harmless system command like id via Jinja2 template syntax to check for remote code execution capability.

There are no specific network commands provided, but detection involves interacting with the application interface that uses ChatWorkflow.chat() and injecting Jinja2 template payloads to verify if they are executed.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the giskard-agents package to version 0.3.4 or 1.0.2b1 or later, where the vulnerability is fixed by replacing the non-sandboxed Jinja2 Environment with a SandboxedEnvironment.

This update prevents template injection attacks by blocking access to attributes starting with an underscore and stopping class traversal chains, effectively mitigating the remote code execution risk.

Additionally, avoid passing user input directly as a Jinja2 template source to ChatWorkflow.chat(message). Instead, use the safer .with_inputs(var=user_data) method which treats user input as variables rather than templates.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows full remote code execution on the server hosting applications using the affected versions of the giskard-agents package. This can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive information.

Such security weaknesses can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Organizations using vulnerable versions without applying the patch may face increased risk of non-compliance due to potential data compromise resulting from exploitation of this vulnerability.

Useful 0 Not Useful 0