CVE-2026-27961 is a Server-Side Template Injection (SSTI) vulnerability classified under CWE-1336, which involves improper neutralization of special elements used in a template engine. The vulnerability resides in the Agenta-AI platform, specifically in versions prior to 0.86.8, within the API server's evaluator template rendering component. Although the vulnerable code is part of the SDK package, the risk manifests only when the SDK is used in a server-side context within the API process, such as in self-hosted or managed Agenta deployments. The flaw allows an attacker with limited privileges (PR:L) to inject and execute arbitrary template code on the server without requiring user interaction. This can lead to full compromise of the server, including unauthorized access to sensitive data, modification or deletion of data, and disruption of service. The vulnerability has a CVSS v3.1 score of 8.8, reflecting its high impact and relatively low attack complexity. The issue was addressed in version 0.86.8 of Agenta, which includes proper sanitization and neutralization of template inputs to prevent injection. No public exploits or active exploitation have been reported, but the potential impact on confidentiality, integrity, and availability is severe, making timely patching critical.

The SSTI vulnerability in Agenta's API server can lead to remote code execution, allowing attackers to fully compromise affected systems. This threatens the confidentiality of sensitive data processed or stored by the platform, the integrity of AI model evaluations and operational workflows, and the availability of the service itself. Organizations relying on Agenta for LLMOps risk data breaches, unauthorized manipulation of AI evaluation results, and potential lateral movement within their networks. Given the high CVSS score and the nature of the vulnerability, exploitation could result in significant operational disruption and reputational damage. The impact is amplified in environments where Agenta is integrated into critical AI infrastructure or handles sensitive intellectual property. The absence of known exploits in the wild suggests a window for proactive mitigation, but the risk remains high due to the ease of exploitation and the privileges required being relatively low.

Organizations should immediately upgrade all Agenta deployments to version 0.86.8 or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, implement strict access controls to limit API server evaluator usage to trusted users only, minimizing the risk of exploitation. Employ network segmentation to isolate Agenta servers from broader internal networks to contain potential breaches. Monitor logs for unusual template rendering requests or errors indicative of injection attempts. Conduct code reviews and security testing focused on template usage in custom evaluators. Disable or restrict evaluator functionality if not essential. Additionally, implement runtime application self-protection (RASP) or web application firewalls (WAFs) with rules targeting SSTI patterns to provide an additional layer of defense. Finally, maintain an incident response plan tailored to potential code injection attacks to enable rapid containment and remediation.