Description
Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal. The method name chat and parameter name message naturally invite passing user input directly, but the string is silently parsed as a Jinja2 template, not treated as plain text. This issue has been patched in versions 0.3.4 and 1.0.2b1.
Published: 2026-03-31
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Giskard Agents contain a server‑side template injection flaw. The ChatWorkflow.chat() method accepts a message string and passes it directly to a Jinja2 Environment without sandboxing. Because the template engine is not sandboxed, an attacker who supplies crafted input can perform class traversal and execute arbitrary code on the system where the agent runs. The vulnerability is classified as CWE‑1336, a remote code execution weakness.

Affected Systems

The issue affects the Giskard‑AI open‑source library, Giskard OSS, specifically the giskard-agent package. Versions prior to 0.3.4 and 1.0.2b1 are vulnerable, as identified by the provided CPE entries. The vulnerability is present in the ChatWorkflow.chat() method of the library’s agent component.

Risk and Exploitability

The CVSS score is 7.7, indicating high severity, while the EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog. The likely attack path requires an attacker to supply input to the chat() method, which can occur when untrusted data is processed through the library. Although broad exploitation is believed to be limited by the low EPSS, the potential impact of remote code execution is catastrophic; therefore, the overall risk is considered high and mitigation should be pursued urgently. Detailed exploitation steps are not provided in the description, so mitigation focuses on eliminating the risk vector rather than fixing it programmatically.

Generated by OpenCVE AI on April 8, 2026 at 00:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Giskard OSS to version 0.3.4 or later, or 1.0.2b1 or later, where the patch removes the vulnerable template handling.

Generated by OpenCVE AI on April 8, 2026 at 00:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-frv4-x25r-588m Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment
History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Giskard
Giskard giskard-agent
Giskard giskard-agents
CPEs cpe:2.3:a:giskard:giskard-agent:*:*:*:*:*:python:*:*
cpe:2.3:a:giskard:giskard-agent:1.0.2:alpha1:*:*:*:python:*:*
cpe:2.3:a:giskard:giskard-agents:1.0.1:alpha1:*:*:*:python:*:*
Vendors & Products Giskard
Giskard giskard-agent
Giskard giskard-agents
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Giskard-ai
Giskard-ai giskard
Vendors & Products Giskard-ai
Giskard-ai giskard

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal. The method name chat and parameter name message naturally invite passing user input directly, but the string is silently parsed as a Jinja2 template, not treated as plain text. This issue has been patched in versions 0.3.4 and 1.0.2b1.
Title Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Giskard Giskard-agent Giskard-agents
Giskard-ai Giskard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:13.342Z

Reserved: 2026-03-25T20:12:04.198Z

Link: CVE-2026-34172

cve-icon Vulnrichment

Updated: 2026-03-31T19:05:21.971Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:17.507

Modified: 2026-04-07T21:20:29.570

Link: CVE-2026-34172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:23Z

Weaknesses