CVE-2026-27961
Published: 26 February 2026
Summary
CVE-2026-27961 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Agentatech Agenta. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 enforces validation of information inputs to the evaluator template rendering process, directly preventing server-side template injection (SSTI) exploits.
SI-2 requires timely identification, reporting, and patching of flaws, such as upgrading Agenta to version 0.86.8 to remediate the SSTI vulnerability.
RA-5 mandates vulnerability scanning to identify SSTI flaws like CVE-2026-27961 in the API server, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in Agenta API server enables network-based RCE on public-facing app (T1190); Python-based platform and template engine context directly facilitates arbitrary code execution via Python interpreter (T1059.006).
NVD Description
Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the…
more
API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.
Deeper analysisAI
CVE-2026-27961 is a Server-Side Template Injection (SSTI) vulnerability, classified under CWE-1336, affecting Agenta, an open-source LLMOps platform. The issue resides in the evaluator template rendering of Agenta's API server, specifically in versions prior to 0.86.8. While the vulnerable code is located in the SDK package, it is executed server-side within the API process during evaluator runs. This vulnerability impacts only self-hosted or managed Agenta platform deployments and does not affect standalone SDK usage.
Attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored at CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation typically involves injecting malicious templates during evaluator execution, potentially leading to remote code execution on the API server.
The GitHub security advisory at https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763 details the issue, confirming that version 0.86.8 includes a fix. Security practitioners should upgrade to this version or later in affected deployments to mitigate the vulnerability.
As an LLMOps platform, Agenta is used in AI/ML workflows for managing large language model operations, making this SSTI particularly relevant for organizations deploying such tools in production environments. No public information on real-world exploitation is available as of the CVE publication on 2026-02-26.
Details
- CWE(s)