CVE-2026-33154: dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
(updated )
Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment.
If an attacker can influence configuration sources such as: environment variables .env files container environment configuration CI/CD secrets they can execute arbitrary OS commands on the host system. In addition, the @format resolver allows object graph traversal, which may expose sensitive runtime objects and environment variables.
References
- github.com/advisories/GHSA-pxrr-hq57-q35p
- github.com/dynaconf/dynaconf
- github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7
- github.com/dynaconf/dynaconf/releases/tag/3.2.13
- github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p
- nvd.nist.gov/vuln/detail/CVE-2026-33154
Code Behaviors & Features
Detect and mitigate CVE-2026-33154 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →