CVE-2026-27961 Overview
A Server-Side Template Injection (SSTI) vulnerability has been identified in Agenta, an open-source LLMOps platform. The vulnerability exists in versions prior to 0.86.8 within Agenta's API server evaluator template rendering functionality. Although the vulnerable code resides in the SDK package, it is executed server-side within the API process when running evaluators. This vulnerability does not affect standalone SDK usage — it only impacts self-hosted or managed Agenta platform deployments.
Critical Impact
This SSTI vulnerability allows authenticated attackers to execute arbitrary code on the server, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- Agenta LLMOps Platform versions prior to 0.86.8
- Self-hosted Agenta deployments
- Managed Agenta platform deployments
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27961 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27961
Vulnerability Analysis
This vulnerability is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine). Server-Side Template Injection occurs when user-controllable input is embedded into a template engine in an unsafe manner, allowing attackers to inject template directives that execute arbitrary code on the server.
In the context of Agenta's LLMOps platform, the vulnerability manifests within the API server's evaluator template rendering process. When users create or modify evaluators, the template input is processed server-side without adequate sanitization. An attacker with authenticated access to the platform could craft malicious template syntax that, when processed by the template engine, executes arbitrary Python code with the privileges of the API server process.
The attack surface is limited to authenticated users on self-hosted or managed Agenta deployments. Standalone SDK usage is not affected because the vulnerable code path is only executed within the API server context.
Root Cause
The root cause stems from improper neutralization of special elements within the template rendering logic. The evaluator functionality accepts user-provided template content that is passed directly to the template engine without sufficient input validation or sandboxing. Template engines in Python (such as Jinja2) can execute arbitrary code if configured insecurely or if user input is not properly escaped.
Attack Vector
The attack vector is network-based, requiring authenticated access to the Agenta platform. An attacker must have valid credentials and access to the evaluator functionality to exploit this vulnerability. The attacker would craft a malicious template payload containing template injection syntax specific to the underlying template engine. When the evaluator processes this template, the injected code executes server-side.
The vulnerability exploitation typically follows this pattern: the attacker submits a specially crafted evaluator template through the API, the template engine processes the input without proper sanitization, and the injected code executes within the context of the API server process. This can lead to unauthorized access to sensitive data, modification of system configurations, or execution of system commands.
For detailed technical information about the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-27961
Indicators of Compromise
- Unusual evaluator template content containing template injection syntax patterns such as {{, {%, or ${
- Unexpected system command execution originating from the Agenta API server process
- Anomalous outbound network connections from the API server to unknown destinations
- Modified or newly created files in the server environment not associated with normal operations
Detection Strategies
- Implement input validation logging to capture and alert on suspicious template patterns in evaluator submissions
- Monitor API server process behavior for child process spawning or unexpected system calls
- Deploy web application firewalls (WAF) with rules to detect common SSTI payloads
- Enable audit logging for all evaluator creation and modification operations
Monitoring Recommendations
- Establish baseline behavior for the Agenta API server and alert on deviations
- Monitor network traffic from the API server for unusual egress patterns
- Implement file integrity monitoring on critical system directories
- Review authentication logs for unauthorized access attempts to evaluator endpoints
How to Mitigate CVE-2026-27961
Immediate Actions Required
- Upgrade Agenta to version 0.86.8 or later immediately
- Audit existing evaluator templates for suspicious or malicious content
- Review access logs for potential exploitation attempts prior to patching
- Restrict access to evaluator functionality to trusted users only until patching is complete
Patch Information
Agenta version 0.86.8 contains the fix for this vulnerability. Organizations running self-hosted or managed Agenta deployments should upgrade to this version or later as soon as possible. The patch addresses the improper neutralization of special elements in the template rendering process.
For additional details, see the GitHub Security Advisory.
Workarounds
- Restrict network access to the Agenta API server to trusted IP ranges only
- Implement additional input validation at the network perimeter using a WAF
- Disable or restrict access to the evaluator functionality until patching is feasible
- Run the Agenta API server in a sandboxed or containerized environment with minimal privileges
# Configuration example - Restrict evaluator access via reverse proxy
# Add to nginx configuration to limit evaluator endpoint access
location /api/evaluators {
allow 10.0.0.0/8;
deny all;
proxy_pass http://agenta-api:8000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
