CVE-2026-27961 (GCVE-0-2026-27961)

Vulnerability from cvelistv5 – Published: 2026-02-26 01:39 – Updated: 2026-02-26 19:29
VLAI?
Title
Agenta's Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE
Summary
Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
Impacted products
Vendor Product Version
Agenta-AI agenta Affected: < 0.86.8
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27961",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T19:28:54.001382Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T19:29:04.883Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "agenta",
          "vendor": "Agenta-AI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.86.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta\u0027s API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage \u2014 it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T01:39:09.997Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763"
        }
      ],
      "source": {
        "advisory": "GHSA-cfr2-mp74-3763",
        "discovery": "UNKNOWN"
      },
      "title": "Agenta\u0027s Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27961",
    "datePublished": "2026-02-26T01:39:09.997Z",
    "dateReserved": "2026-02-25T03:24:57.792Z",
    "dateUpdated": "2026-02-26T19:29:04.883Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-27961",
      "date": "2026-04-21",
      "epss": "0.00063",
      "percentile": "0.19636"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27961\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-26T02:16:23.483\",\"lastModified\":\"2026-03-02T18:40:39.127\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta\u0027s API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage \u2014 it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"Agenta es una plataforma LLMOps de c\u00f3digo abierto. Una vulnerabilidad de inyecci\u00f3n de plantillas del lado del servidor (SSTI) existe en versiones anteriores a la 0.86.8 en la renderizaci\u00f3n de plantillas del evaluador del servidor API de Agenta. Aunque el c\u00f3digo vulnerable reside en el paquete SDK, se ejecuta del lado del servidor dentro del proceso de la API al ejecutar evaluadores. Esto no afecta el uso aut\u00f3nomo del SDK \u2014 solo afecta las implementaciones de la plataforma Agenta autoalojadas o gestionadas. La versi\u00f3n 0.86.8 contiene una soluci\u00f3n para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1336\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:agentatech:agenta:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.86.8\",\"matchCriteriaId\":\"FF609F89-BEC4-4CB7-8818-18575B3796E2\"}]}]}],\"references\":[{\"url\":\"https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27961\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-26T19:28:54.001382Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-26T19:28:59.844Z\"}}], \"cna\": {\"title\": \"Agenta\u0027s Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE\", \"source\": {\"advisory\": \"GHSA-cfr2-mp74-3763\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Agenta-AI\", \"product\": \"agenta\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.86.8\"}]}], \"references\": [{\"url\": \"https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763\", \"name\": \"https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta\u0027s API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage \\u2014 it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1336\", \"description\": \"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-26T01:39:09.997Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27961\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T19:29:04.883Z\", \"dateReserved\": \"2026-02-25T03:24:57.792Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-26T01:39:09.997Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.