CVE-2026-2969 is a vulnerability identified in datapizza-labs datapizza-ai version 0.0.2, specifically within the ChatPromptTemplate function located in datapizza-ai-core/datapizza/modules/prompt/prompt.py. The issue arises from improper neutralization of special elements used in the Jinja2 template engine, which is responsible for rendering dynamic content based on user-supplied prompts. This flaw allows an attacker to manipulate the Prompt argument, injecting malicious template code that the engine processes without adequate sanitization. Because the vulnerability can be exploited remotely without authentication or user interaction, an attacker can potentially execute unauthorized template code, leading to partial compromise of confidentiality, integrity, and availability of the affected system. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but the vector states PR:H which conflicts with no authentication; assuming PR:H means some privileges are needed), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability. The vendor has been contacted but has not responded or released a patch, and an exploit has been published publicly, increasing the risk of exploitation. This vulnerability is particularly concerning for organizations using datapizza-ai 0.0.2 in production environments, especially where template rendering is exposed to untrusted input. The lack of vendor response and patch availability necessitates immediate mitigation efforts by users.

The vulnerability allows remote attackers to inject malicious template code via the Prompt argument, potentially leading to unauthorized access or manipulation of sensitive data, execution of arbitrary code within the template context, or disruption of service. The partial compromise of confidentiality could expose sensitive information processed by the AI system. Integrity impacts could allow attackers to alter outputs or internal data, undermining trust in the AI's responses. Availability impacts, though limited, could result from resource exhaustion or crashes triggered by crafted templates. Organizations relying on datapizza-ai for AI-driven workflows, especially those processing sensitive or critical data, face risks of data leakage, manipulation, or denial of service. The published exploit increases the likelihood of active attacks. The medium severity reflects that exploitation requires some privileges or conditions, but the network attack vector and lack of user interaction make it a significant threat. The absence of vendor patches prolongs exposure, increasing potential damage over time.

1. Immediately restrict access to datapizza-ai 0.0.2 instances, limiting network exposure to trusted users and systems only. 2. Implement strict input validation and sanitization on all inputs passed to the ChatPromptTemplate function to prevent injection of malicious template code. 3. Employ application-layer firewalls or runtime application self-protection (RASP) tools to detect and block suspicious template injection attempts. 4. Isolate the template rendering environment using sandboxing techniques to limit the impact of any successful exploitation. 5. Monitor logs and system behavior for anomalies indicative of exploitation attempts, such as unusual template processing errors or unexpected output. 6. Consider upgrading to a later version of datapizza-ai once a patched release is available or applying custom patches if feasible. 7. If possible, disable or replace the vulnerable template handling component until a fix is released. 8. Educate developers and operators about the risks of template injection and secure coding practices related to template engines.