The vulnerability CVE-2026-34172 affects the giskard-oss Python library developed by Giskard-AI, which is used for testing and evaluating agentic systems. The root cause is that the ChatWorkflow.chat(message) method directly passes its string argument as a Jinja2 template source to a non-sandboxed Jinja2 Environment. Jinja2 is a popular templating engine that supports powerful features including class traversal, which can be abused to execute arbitrary Python code if user input is not properly sanitized. In this case, the method name 'chat' and parameter 'message' naturally suggest that user input is passed directly, but the input is parsed as a template rather than treated as plain text. This design flaw leads to improper neutralization of special elements in the template (CWE-1336), enabling an attacker who can control the message parameter to craft malicious templates that perform remote code execution (RCE) on the host system. The vulnerability affects all versions prior to 0.3.4 and versions from 1.0.1a1 up to but not including 1.0.2b1. The issue has been patched in versions 0.3.4 and 1.0.2b1 by presumably sanitizing input or sandboxing the template environment. The CVSS 4.0 base score is 7.7 (high), reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild to date. This vulnerability is critical for any deployment where untrusted user input can reach the chat method, as it can lead to full system compromise.

The primary impact of CVE-2026-34172 is the potential for remote code execution on systems running vulnerable versions of giskard-oss. Successful exploitation allows attackers to execute arbitrary Python code with the privileges of the application, potentially leading to full system compromise, data theft, service disruption, or lateral movement within networks. Since giskard-oss is used for testing and evaluating AI agentic systems, organizations relying on it for AI model validation or deployment pipelines may face risks to the integrity and confidentiality of their AI workflows and data. The vulnerability's ease of exploitation (low complexity, no user interaction) increases the risk of automated attacks or exploitation by low-skilled adversaries. Although no exploits are known in the wild yet, the public disclosure and availability of patches increase the urgency for organizations to remediate. Failure to patch could result in targeted attacks against AI development environments, intellectual property theft, or sabotage of AI systems. The vulnerability also undermines trust in AI testing infrastructure, which could have broader operational and reputational consequences.

1. Immediate upgrade to giskard-oss versions 0.3.4 or later, or 1.0.2b1 or later, which contain patches addressing this vulnerability. 2. Audit all codebases and deployment environments to identify any usage of the ChatWorkflow.chat(message) method, especially where the message parameter may contain user-supplied input. 3. If upgrading is not immediately possible, implement input validation and sanitization to ensure that user input cannot contain Jinja2 template syntax or special elements that enable class traversal. 4. Consider sandboxing or restricting the Jinja2 environment if custom template rendering is necessary, using Jinja2's sandboxed environment features to limit code execution capabilities. 5. Monitor logs and application behavior for suspicious template rendering activity or unexpected code execution patterns. 6. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to detect and block anomalous behavior indicative of exploitation attempts. 7. Educate developers about the risks of passing user input directly to template engines without sanitization, especially in AI and agentic system contexts. 8. Review and harden access controls and privilege separation for systems running giskard-oss to minimize impact if exploitation occurs.