CVE-2026-34172

HighPublic PoC

Published: 31 March 2026

Published

31 March 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to…

this method enables full remote code execution via Jinja2 class traversal. The method name chat and parameter name message naturally invite passing user input directly, but the string is silently parsed as a Jinja2 template, not treated as plain text. This issue has been patched in versions 0.3.4 and 1.0.2b1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely identification, reporting, and patching of flaws like CVE-2026-34172 in the Giskard library prevents RCE by upgrading to fixed versions 0.3.4 or 1.0.2b1.

SI-10 Information Input Validation good match

prevent

Validating and sanitizing user input before passing it to ChatWorkflow.chat() blocks Jinja2 template injection and class traversal leading to RCE.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Vulnerability scanning detects CVE-2026-34172 in Giskard deployments and triggers remediation to prevent exploitation.

Security SummaryAI

CVE-2026-34172 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) in the Giskard open-source Python library, which is used for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, the ChatWorkflow.chat(message) method passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment (CWE-1336). This design flaw allows full remote code execution via Jinja2 class traversal when developers pass untrusted user input to the method, as the string is silently parsed as a Jinja2 template rather than treated as plain text. The method name "chat" and parameter name "message" naturally encourage direct use of user input.

An attacker can exploit this vulnerability if a developer integrates user-controlled input directly into ChatWorkflow.chat(). Exploitation is network-accessible with low attack complexity, requires only low privileges such as an authenticated user, and needs no user interaction. Successful exploitation grants full remote code execution on the host running the vulnerable Giskard code, with high impacts on confidentiality, integrity, and availability.

The issue has been addressed in Giskard versions 0.3.4 and 1.0.2b1. Developers should upgrade to these patched versions immediately. Additional details are available in the GitHub Security Advisory at https://github.com/Giskard-AI/giskard-oss/security/advisories/GHSA-frv4-x25r-588m.

Details

CWE(s): CWE-1336

Affected Products

giskard

giskard-agent

1.0.2 · ≤ 0.3.4

giskard

giskard-agents

1.0.1

MITRE ATT&CK Enterprise TechniquesAI

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote code execution through server-side template injection (SSTI) in the Jinja2 engine when untrusted user input is passed directly to ChatWorkflow.chat(), directly enabling T1221: Template Injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Giskard-AI/giskard-oss/security/advisories/GHSA-frv4-x25r-588m
Exploit, Vendor Advisory, Mitigation · security-advisories@github.com
https://github.com/Giskard-AI/giskard-oss/security/advisories/GHSA-frv4-x25r-588m
Exploit, Vendor Advisory, Mitigation · 134c704f-9b21-4f2e-91b3-4a467353bcc0