Python
CVE-2026-34172
HIGH
GHSA-frv4-x25r-588m
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Summary
ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal.
The method name chat and parameter name message naturally invite passing user input directly, but the string is silently parsed as a Jinja2 template, not treated as plain text.
Root Cause
libs/giskard-agents/src/giskard/agents/workflow.py line ~261:
def chat(self, message: str | Message | MessageTemplate, role: Role = "user") -> Self:
if isinstance(message, str):
message = MessageTemplate(role=role, content_template=message)The string becomes content_template, which is parsed by from_string():
libs/giskard-agents/src/giskard/agents/templates/message.py lines 14-15:
def render(self, **kwargs: Any) -> Message:
template = _inline_env.from_string(self.content_template)
rendered_content = template.render(**kwargs)The Jinja2 Environment is not sandboxed:
libs/giskard-agents/src/giskard/agents/templates/environment.py line 37:
_inline_env = Environment(
autoescape=False,
# Not SandboxedEnvironment
)Proof of Concept
from jinja2 import Environment
env = Environment()
# Same as giskard's _inline_env
# Class traversal reaches os.popen
t = env.from_string("{{ ''.__class__.__mro__[1].__subclasses__() | length }}")
print(t.render())
# 342 accessible subclasses
# Full RCE payload (subclass index varies by Python version)
# {{ ''.__class__.__mro__[1].__subclasses__()[INDEX].__init__.__globals__['os'].popen('id').read() }}A developer building a chatbot:
workflow = ChatWorkflow(generator=my_llm)
workflow = workflow.chat(user_input)
# user_input parsed as Jinja2 template
result = await workflow.run()
# RCE if user_input contains {{ payload }}Note: using .with_inputs(var=user_data) is safe because variable values are not parsed as templates. The issue is only when user strings are passed directly to chat().
Impact
Remote code execution on the server hosting any application built with giskard-agents that passes user input to ChatWorkflow.chat(). Attacker can execute system commands, read files, access environment variables.
Affects giskard-agents <=0.3.3 and 1.0.x alpha. Patched in giskard-agents 0.3.4 (stable) and 1.0.2b1 (pre-release).
Mitigation
Update to 0.3.4 (or 1.0.2b1 for the pre-release branch) which includes the fix.
The fix replaces the unsandboxed Jinja2 Environment with SandboxedEnvironment, which blocks attribute access to dunder methods and prevents class traversal chains. SandboxedEnvironment blocks access to attributes starting with _, preventing the __class__.__mro__ traversal chain.
AnalysisAI
Remote code execution in giskard-agents Python library (versions ≤0.3.3 and 1.0.x alpha) allows attackers to execute arbitrary system commands when user-controlled strings are passed to the ChatWorkflow.chat() method. The vulnerability stems from unsandboxed Jinja2 template rendering that enables class traversal exploitation via Python's object introspection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires authenticated access (PR:L) to Giskard agent workflow. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents critical real-world risk despite the absence of a formal CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An organization deploys a customer support chatbot using giskard-agents where user messages are processed through ChatWorkflow.chat(user_message). An attacker submits a chat message containing the Jinja2 payload: {{ ''.__class__.__mro__[1].__subclasses__()[INDEX].__init__.__globals__['os'].popen('cat /etc/passwd').read() }} where INDEX is adjusted for the Python version. … |
| Remediation | Organizations using giskard-agents must immediately upgrade to version 0.3.4 for stable deployments or version 1.0.2b1 for pre-release branch users. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all applications and environments using giskard-agents library and identify versions in use; flag any instances running versions ≤0.3.3 or 1.0.x alpha for emergency remediation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T
Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to
Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when gu
Share
External POC / Exploit Code
Leaving vuln.today