{ "threat_severity" : "Moderate", "public_date" : "2026-03-20T20:22:59Z", "bugzilla" : { "description" : "dynaconf: jinja2: Dynaconf: Arbitrary code execution via Server-Side Template Injection", "id" : "2449774", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449774" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-917", "details" : [ "dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.", "A flaw was found in dynaconf, a Python configuration management tool. This Server-Side Template Injection (SSTI) vulnerability occurs due to unsafe template evaluation in the @Jinja resolver when the jinja2 package is installed. A remote attacker could exploit this by embedding malicious template expressions in configuration values, which are then processed without a sandboxed environment. This could lead to arbitrary code execution on the affected system." ], "affected_release" : [ { "product_name" : "Red Hat Ansible Automation Platform 2.5", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13553", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-automation-platform-25/lightspeed-rhel8:1777403872" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/eda-controller-rhel9:1777296732" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/gateway-rhel9:1777311120" } ], "package_state" : [ { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-26/controller-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-26/hub-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-26/lightspeed-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform/automation-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "ansible-automation-platform-tech-preview/automation-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "automation-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33154\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33154\nhttps://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7\nhttps://github.com/dynaconf/dynaconf/releases/tag/3.2.13\nhttps://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p" ], "name" : "CVE-2026-33154", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }