Description
dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

SSTI arises from dynaconf's @Jinja resolver evaluating template expressions in configuration values without a sandbox, enabling an attacker to inject Python expressions that are executed on the server. When the jinja2 package is present, the evaluator can run arbitrary code, allowing the attacker to read, modify, or delete data, or exfiltrate sensitive information. The vulnerability can be triggered by malicious configuration entries, making it a high‑safety risk for any deployment exposing configuration files to untrusted input.

Affected Systems

The affected product is the dynaconf configuration tool for Python. Versions earlier than 3.2.13 are vulnerable, as documented by the vendor. Any deployment that relies on dynaconf before the 3.2.13 release, and has the jinja2 dependency installed, is susceptible to this remote code execution flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level, while the EPSS score of less than 1% suggests that exploitation is currently unlikely on a broad scale. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no public exploits have been reported. An attacker can exploit the vulnerability by injecting malicious template syntax into configuration files or environments where dynaconf processes non‑trusted data. The analysis indicates that the most probable attack vector is through file‑based configuration injection, given that dynaconf evaluates templates in those contexts.

Generated by OpenCVE AI on April 14, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade dynaconf to version 3.2.13 or later.
  • If upgrading is not possible, disable the @Jinja resolver or remove unsafe template expressions from configuration.
  • Ensure that the jinja2 package is not installed unless required by your application.

Generated by OpenCVE AI on April 14, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pxrr-hq57-q35p dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
CPEs cpe:2.3:a:dynaconf:dynaconf:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Dynaconf
Dynaconf dynaconf
Vendors & Products Dynaconf
Dynaconf dynaconf

Fri, 20 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.
Title dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
Weaknesses CWE-1336
CWE-94
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dynaconf Dynaconf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T15:23:09.972Z

Reserved: 2026-03-17T21:17:08.886Z

Link: CVE-2026-33154

cve-icon Vulnrichment

Updated: 2026-03-25T13:39:27.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:15.740

Modified: 2026-04-14T18:23:14.307

Link: CVE-2026-33154

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T20:22:59Z

Links: CVE-2026-33154 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses