CVE-2026-40320
Received Received - Intake
Arbitrary Code Execution via Jinja2 Template Injection in Giskard

Publication date: 2026-04-17

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the ConformityCheck class rendered the rule parameter through Jinja2's default Template() constructor, silently interpreting template expressions at runtime. If check definitions are loaded from an untrusted source, a crafted rule string could achieve arbitrary code execution. Exploitation requires write access to a check definition and subsequent execution of the test suite. This issue has been fixed in giskard-checks version 1.0.2b1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-24
Generated
2026-06-19
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-18
NVD
CVE-2026-40320
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
giskard giskard to 1.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade giskard-checks to version 1.0.2b1 or later, where the issue has been fixed.

Additionally, restrict write access to check definitions to trusted users only, as exploitation requires write access and execution of the test suite.

Detection Guidance

This vulnerability involves the Giskard testing framework versions prior to 1.0.2b1 where the ConformityCheck class uses Jinja2's default Template() constructor to render the rule parameter, allowing arbitrary code execution if untrusted check definitions are loaded.

Detection requires verifying if your system is running a vulnerable version of giskard-checks (prior to 1.0.2b1) and if any check definitions have been modified or loaded from untrusted sources.

Since no specific detection commands or network indicators are provided in the available information, general steps include:

  • Check the installed version of giskard-checks to confirm if it is older than 1.0.2b1.
  • Audit check definition files for unexpected modifications or untrusted sources.
  • Review logs or execution traces for suspicious activity during test suite runs.

No specific commands for detection are provided in the available context or resources.

Executive Summary

This vulnerability exists in the Giskard open-source testing framework for AI models, specifically in versions prior to 1.0.2b1. The issue is in the ConformityCheck class, which uses Jinja2's default Template() constructor to render the rule parameter. This causes template expressions to be interpreted silently at runtime. If an attacker has write access to a check definition and can insert a crafted rule string from an untrusted source, they could execute arbitrary code when the test suite runs.

The vulnerability has been fixed in giskard-checks version 1.0.2b1.

Impact Analysis

If exploited, this vulnerability allows an attacker with write access to a check definition to execute arbitrary code on the system running the Giskard test suite. This could lead to unauthorized actions such as data manipulation, system compromise, or disruption of AI model testing processes.

Compliance Impact

The vulnerability in Giskard's ConformityCheck class allows for arbitrary code execution if an attacker has write access to a check definition and can execute the test suite. This could potentially lead to unauthorized access or manipulation of data processed by the AI models tested with this framework.

Such unauthorized code execution and potential data compromise may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the specific effects on compliance depend on the context in which Giskard is used, the nature of the data involved, and the security controls in place.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart