CVE-2026-33154
Published: 20 March 2026
Summary
CVE-2026-33154 is a high-severity Code Injection (CWE-94) vulnerability in Dynaconf Dynaconf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws such as the SSTI vulnerability in Dynaconf by patching to version 3.2.13 or later, directly eliminating the unsafe template evaluation.
Mandates validation and sanitization of configuration values to prevent injection of malicious Jinja2 template expressions by low-privileged attackers.
Establishes secure configuration settings for Dynaconf to restrict or disable unsafe features like unsandboxed Jinja2 template resolution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in Dynaconf enables RCE via unsandboxed Jinja2 template evaluation in configs (AV:N), directly mapping to exploitation of network-accessible apps (T1190) followed by Python code execution (T1059.006).
NVD Description
dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded…
more
in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.
Deeper analysisAI
Dynaconf, a configuration management tool for Python, versions prior to 3.2.13, contains a Server-Side Template Injection (SSTI) vulnerability identified as CVE-2026-33154. The flaw arises in the @Jinja resolver, where Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment when the jinja2 package is installed. This issue, published on 2026-03-20, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 94, 1336, and 78.
An attacker requires low privileges (PR:L) and must be able to supply or influence configuration values containing malicious Jinja2 template expressions. Exploitation is possible over the network (AV:N) without user interaction (UI:N), though it demands high attack complexity (AC:H). Successful attacks can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling remote code execution on the affected system.
The vulnerability is patched in Dynaconf version 3.2.13. Mitigation involves upgrading to this version or later. Key resources include the patching commit at https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7, the release announcement at https://github.com/dynaconf/dynaconf/releases/tag/3.2.13, and the GitHub security advisory at https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p.
Details
- CWE(s)