Platform
python
Component
dynaconf
Fixed in
3.2.14
3.2.13
CVE-2026-33154 describes a Remote Code Execution (RCE) vulnerability in the Dynaconf configuration library. This vulnerability stems from unsafe template evaluation within the @jinja resolver, enabling attackers to potentially execute arbitrary operating system commands. The vulnerability impacts Dynaconf versions 3.2.9 and earlier, and a fix is available in version 3.2.13.
The core of this vulnerability lies in Dynaconf's @jinja resolver, which processes template expressions without proper sandboxing when the jinja2 package is installed. An attacker who can manipulate configuration sources—such as environment variables, .env files, container environment configurations, or CI/CD secrets—can inject malicious template code. This injected code, when evaluated by Dynaconf, can lead to arbitrary command execution on the host system. The potential impact is severe, allowing attackers to gain complete control over the affected server, steal sensitive data, or pivot to other systems within the network. The @format resolver also introduces object graph traversal, potentially exposing sensitive runtime objects and environment variables, further increasing the attack surface.
CVE-2026-33154 was publicly disclosed on March 18, 2026. There is no indication of this vulnerability being actively exploited at this time. The vulnerability's reliance on controlling configuration sources may limit its immediate exploitability, but the potential for remote code execution remains significant. No KEV listing is currently available. Public proof-of-concept code is not yet widely available, but the vulnerability's nature suggests that it is likely to be targeted by attackers.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33154 is to upgrade Dynaconf to version 3.2.13 or later, which includes the necessary fixes to prevent unsafe template evaluation. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily restricting access to configuration sources that attackers could potentially manipulate. Implement strict input validation and sanitization on all configuration values to prevent malicious template code from being injected. If possible, disable the @jinja resolver entirely if it is not essential for your application. Monitor system logs for suspicious activity related to template evaluation or command execution. After upgrading, confirm the fix by attempting to inject a simple Jinja2 template expression into a configuration value and verifying that it is not evaluated.
Actualice la biblioteca dynaconf a la versión 3.2.13 o superior. Esto corrige la vulnerabilidad de ejecución remota de código (RCE) causada por la evaluación insegura de plantillas Jinja2. La actualización asegura que las expresiones de plantilla se evalúen en un entorno seguro.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33154 is a Remote Code Execution vulnerability in Dynaconf versions 3.2.9 and earlier, allowing attackers to execute OS commands through unsafe template evaluation.
You are affected if you are using Dynaconf versions 3.2.9 or earlier and have the jinja2 package installed. Check your version using pip show dynaconf.
Upgrade Dynaconf to version 3.2.13 or later. If immediate upgrade is not possible, restrict access to configuration sources and disable the @jinja resolver if not essential.
There is currently no public information indicating active exploitation of CVE-2026-33154, but the potential for exploitation remains significant.
Refer to the Dynaconf project's official security advisories and release notes for details on this vulnerability and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.