The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40320

CVE-2026-40320: Giskard AI Testing Framework RCE Flaw

CVE-2026-40320 is a remote code execution vulnerability in Giskard's AI testing framework caused by unsafe Jinja2 template rendering. This article covers technical details, affected versions, exploitation risks, and mitigation.

Published: April 23, 2026

CVE-2026-40320 Overview

CVE-2026-40320 is a Server-Side Template Injection (SSTI) vulnerability in Giskard, an open-source testing framework designed for AI models. The vulnerability exists in versions prior to 1.0.2b1 where the ConformityCheck class renders the rule parameter through Jinja2's default Template() constructor, silently interpreting template expressions at runtime. If check definitions are loaded from an untrusted source, a crafted rule string could achieve arbitrary code execution on the underlying system.

Critical Impact

Attackers with write access to check definitions can achieve arbitrary code execution by injecting malicious Jinja2 template expressions, potentially compromising the entire AI testing infrastructure.

Affected Products

  • Giskard giskard-checks versions prior to 1.0.2b1
  • Systems using Giskard AI testing framework with untrusted check definitions
  • AI/ML pipelines integrating Giskard conformity checks

Discovery Timeline

  • April 17, 2026 - CVE-2026-40320 published to NVD
  • April 17, 2026 - Last updated in NVD database

Technical Details for CVE-2026-40320

Vulnerability Analysis

This vulnerability stems from improper neutralization of special elements used in a template engine (CWE-1336). The Giskard testing framework provides a ConformityCheck class that allows users to define validation rules for AI model outputs. The vulnerability occurs because the rule parameter is processed through Jinja2's default Template() constructor without proper sandboxing or input validation.

Jinja2 is a powerful templating engine for Python that, when used with the default Template() constructor, allows execution of arbitrary Python expressions. This means that if an attacker can control the content of a check definition file, they can embed malicious template expressions that will be executed when the test suite runs.

The exploitation chain requires two conditions: first, the attacker must have write access to a check definition (either through direct file access, a compromised CI/CD pipeline, or a supply chain attack), and second, the test suite must be executed to trigger the template rendering. This local attack vector with required user interaction and privileges results in a medium severity classification, though the potential impact includes complete system compromise with high confidentiality, integrity, and availability impacts.

Root Cause

The root cause is the use of Jinja2's unsandboxed Template() constructor to render user-supplied rule parameters. Jinja2's default environment allows access to Python's object introspection capabilities, enabling attackers to traverse the object hierarchy and access dangerous functions. The secure alternative would be to use Jinja2's SandboxedEnvironment or to avoid template rendering entirely for user-supplied input.

Attack Vector

The attack requires local access to modify check definition files or the ability to influence check definitions through other means such as compromised dependencies or malicious pull requests. An attacker would craft a rule string containing Jinja2 template syntax that leverages Python's object introspection to execute system commands. When the test suite runs and the ConformityCheck class processes the malicious rule, the template engine interprets and executes the embedded code.

Common Jinja2 SSTI payloads exploit Python's Method Resolution Order (MRO) to access the subprocess module or os module from base object classes. The attack is particularly dangerous in CI/CD environments where test suites often run with elevated privileges.

Detection Methods for CVE-2026-40320

Indicators of Compromise

  • Unusual template syntax in check definition files, particularly containing {{, {%, or __ patterns
  • Check definition files with Python object references like __class__, __mro__, __subclasses__, or __globals__
  • Unexpected process spawning from Python processes running Giskard test suites
  • Anomalous network connections or file access from test execution environments

Detection Strategies

  • Implement file integrity monitoring on check definition directories to detect unauthorized modifications
  • Scan check definition files for known Jinja2 SSTI payload patterns before execution
  • Monitor process creation events from test execution environments for unexpected child processes
  • Review CI/CD pipeline logs for unusual test execution patterns or failures

Monitoring Recommendations

  • Enable detailed logging for Giskard test suite execution to capture rendered template content
  • Set up alerts for modifications to check definition files outside of normal development workflows
  • Monitor system call activity during test execution for signs of command injection
  • Implement code review requirements for all check definition changes

How to Mitigate CVE-2026-40320

Immediate Actions Required

  • Upgrade giskard-checks to version 1.0.2b1 or later immediately
  • Audit all existing check definition files for suspicious template expressions
  • Restrict write access to check definition directories to trusted personnel only
  • Review recent changes to check definitions in version control for malicious content

Patch Information

The vulnerability has been fixed in giskard-checks version 1.0.2b1. The patch addresses the unsafe template rendering by implementing proper input sanitization or sandboxing for the rule parameter in the ConformityCheck class. For detailed information about the fix, refer to the GitHub Release v1.0.2b1 and the GitHub Security Advisory GHSA-7xjm-g8f4-rp26.

Workarounds

  • Ensure check definitions are only loaded from trusted, version-controlled sources until upgrade is complete
  • Implement pre-execution scanning of check definition files for template injection patterns
  • Run test suites in isolated containers with minimal privileges to limit potential impact
  • Disable or remove conformity checks that use the vulnerable rule parameter until patched
bash
# Upgrade giskard-checks to the patched version
pip install --upgrade giskard-checks>=1.0.2b1

# Verify installed version
pip show giskard-checks | grep Version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechGiskard
  • SeverityMEDIUM
  • CVSS Score5.4
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-1336
  • Technical References
  • GitHub Release v1.0.2b1
  • GitHub Security Advisory GHSA-7xjm-g8f4-rp26
  • Related CVEs
  • CVE-2026-34172: Giskard Python Library RCE Vulnerability
  • CVE-2026-40319: Giskard AI Framework DOS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English