CVE-2026-34172
Published: 31 March 2026
Summary
CVE-2026-34172 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Giskard Giskard-Agent. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked in the top 43.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely identification, reporting, and patching of flaws like CVE-2026-34172 in the Giskard library prevents RCE by upgrading to fixed versions 0.3.4 or 1.0.2b1.
Validating and sanitizing user input before passing it to ChatWorkflow.chat() blocks Jinja2 template injection and class traversal leading to RCE.
Vulnerability scanning detects CVE-2026-34172 in Giskard deployments and triggers remediation to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote code execution through server-side template injection (SSTI) in the Jinja2 engine when untrusted user input is passed directly to ChatWorkflow.chat(), directly enabling T1221: Template Injection.
NVD Description
Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to…
more
this method enables full remote code execution via Jinja2 class traversal. The method name chat and parameter name message naturally invite passing user input directly, but the string is silently parsed as a Jinja2 template, not treated as plain text. This issue has been patched in versions 0.3.4 and 1.0.2b1.
Deeper analysisAI
CVE-2026-34172 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) in the Giskard open-source Python library, which is used for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, the ChatWorkflow.chat(message) method passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment (CWE-1336). This design flaw allows full remote code execution via Jinja2 class traversal when developers pass untrusted user input to the method, as the string is silently parsed as a Jinja2 template rather than treated as plain text. The method name "chat" and parameter name "message" naturally encourage direct use of user input.
An attacker can exploit this vulnerability if a developer integrates user-controlled input directly into ChatWorkflow.chat(). Exploitation is network-accessible with low attack complexity, requires only low privileges such as an authenticated user, and needs no user interaction. Successful exploitation grants full remote code execution on the host running the vulnerable Giskard code, with high impacts on confidentiality, integrity, and availability.
The issue has been addressed in Giskard versions 0.3.4 and 1.0.2b1. Developers should upgrade to these patched versions immediately. Additional details are available in the GitHub Security Advisory at https://github.com/Giskard-AI/giskard-oss/security/advisories/GHSA-frv4-x25r-588m.
Details
- CWE(s)