CVE-2026-27961 - Vulnerability Details

- Agenta's Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE

Description

Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.

Published: 2026-02-26

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Agenta is an open‑source LLMOps platform that contains a Server‑Side Template Injection flaw in its API server evaluator. The vulnerable code resides in the SDK package but is executed on the server when evaluators run, allowing an attacker to inject Jinja2 template expressions that the server will interpret, potentially leading to arbitrary code execution on the host. This issue is limited to self‑hosted or managed Agenta deployments; usage of the standalone SDK is not affected.

Affected Systems

Vendor Agenta‑AI’s Agenta product, affected in every released version prior to 0.86.8. The fix is included in version 0.86.8 and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating a high severity level. The EPSS score is below 1%, suggesting a low probability of exploitation at this time. It is not listed in the CISA KEV catalog. The likely attack vector involves an actor who can supply or influence evaluator templates, such as through a constructed API request. On a misconfigured or unauthenticated exposure of the evaluator endpoint, the attacker could trigger code execution from the server side.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Agenta-AI

agenta

affected

Version	Status	Constraints
`< 0.86.8`	affected	—

Configuration 1 [-]

cpe:2.3:a:agentatech:agenta:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Agenta-ai

Agenta

100%

Version	Status	Scheme	Platform
`[0,0.86.8)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Agenta to version 0.86.8 or newer to apply the vendor‑supplied fix.
Restrict access to the evaluator API endpoint, ensuring that only authenticated users with the appropriate permissions can submit templates, and enforce least privilege for those users.
If evaluator templates are not required for your deployment, disable the evaluator feature entirely or sandbox the template rendering context to a minimal, read‑only environment to prevent execution of arbitrary expressions.

Generated by OpenCVE AI on April 18, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00073.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763

History

Mon, 02 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Agentatech Agentatech agenta
CPEs		cpe:2.3:a:agentatech:agenta::::::::
Vendors & Products		Agentatech Agentatech agenta

Fri, 27 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Agenta-ai Agenta-ai agenta
Vendors & Products		Agenta-ai Agenta-ai agenta

Thu, 26 Feb 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when running evaluators. This does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments. Version 0.86.8 contains a fix for the issue.
Title		Agenta's Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE
Weaknesses		CWE-1336
References		https://github.com/Agenta-AI/agenta/security/advisories/GHSA-cfr2-mp74-3763
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Agenta-ai Agenta

Agentatech Agenta

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-26T01:39:09.997Z

Updated: 2026-02-26T19:29:04.883Z

Reserved: 2026-02-25T03:24:57.792Z

Link: CVE-2026-27961

Vulnrichment

Updated: 2026-02-26T19:28:59.844Z

NVD

Status : Analyzed

Published: 2026-02-26T02:16:23.483

Modified: 2026-03-02T18:40:39.127

Link: CVE-2026-27961

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses

CWE-1336

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object