CVE-2026-40320
Published: 17 April 2026
Summary
CVE-2026-40320 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Giskard Giskard. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through upgrading to giskard-checks version 1.0.2b1 or later to fix the unsafe Jinja2 Template rendering.
Requires validation of the rule parameter loaded from check definitions to block malicious Jinja2 template expressions that enable arbitrary code execution.
Restricts write access to check definitions, preventing unauthorized modification with crafted rule strings from untrusted sources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution via Jinja2 template injection from untrusted check definitions (T1059.006 Python), requires user execution of the test suite with malicious input (T1204.002 Malicious File), and facilitates supply chain attacks through untrusted test configurations in AI/ML pipelines (T1195.001).
NVD Description
Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the ConformityCheck class rendered the rule parameter through Jinja2's default Template() constructor, silently interpreting template expressions at runtime. If check definitions are loaded from an untrusted…
more
source, a crafted rule string could achieve arbitrary code execution. Exploitation requires write access to a check definition and subsequent execution of the test suite. This issue has been fixed in giskard-checks version 1.0.2b1.
Deeper analysisAI
CVE-2026-40320 is a vulnerability in Giskard, an open-source testing framework for AI models, specifically affecting the giskard-checks component in versions prior to 1.0.2b1. The ConformityCheck class renders the rule parameter using Jinja2's default Template() constructor, which silently interprets template expressions at runtime. This allows a crafted rule string from an untrusted source to achieve arbitrary code execution, mapped to CWE-1336 (Incorrect Handling of Code Blocks in Templates). The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires an attacker to have write access to a check definition, typically loaded from an untrusted source, followed by execution of the test suite by a user. No privileges are needed (PR:N), but local access (AV:L), low attack complexity (AC:L), and user interaction (UI:R) are required to trigger the Jinja2 template evaluation, enabling high-impact confidentiality, integrity, and availability violations through arbitrary code execution.
The issue has been addressed in giskard-checks version 1.0.2b1, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to this version or later and validate all check definitions from trusted sources to mitigate risks.
This vulnerability is particularly relevant to AI/ML workflows, as Giskard is used for testing AI models, potentially exposing ML pipelines to supply-chain attacks via untrusted test configurations. No real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai