プラットフォーム
python
コンポーネント
dynaconf
修正版
3.2.14
3.2.13
CVE-2026-33154 describes a Remote Code Execution (RCE) vulnerability in the Dynaconf configuration library. This vulnerability stems from unsafe template evaluation within the @jinja resolver, enabling attackers to potentially execute arbitrary operating system commands. The vulnerability impacts Dynaconf versions 3.2.9 and earlier, and a fix is available in version 3.2.13.
The core of this vulnerability lies in Dynaconf's @jinja resolver, which processes template expressions without proper sandboxing when the jinja2 package is installed. An attacker who can manipulate configuration sources—such as environment variables, .env files, container environment configurations, or CI/CD secrets—can inject malicious template code. This injected code, when evaluated by Dynaconf, can lead to arbitrary command execution on the host system. The potential impact is severe, allowing attackers to gain complete control over the affected server, steal sensitive data, or pivot to other systems within the network. The @format resolver also introduces object graph traversal, potentially exposing sensitive runtime objects and environment variables, further increasing the attack surface.
CVE-2026-33154 was publicly disclosed on March 18, 2026. There is no indication of this vulnerability being actively exploited at this time. The vulnerability's reliance on controlling configuration sources may limit its immediate exploitability, but the potential for remote code execution remains significant. No KEV listing is currently available. Public proof-of-concept code is not yet widely available, but the vulnerability's nature suggests that it is likely to be targeted by attackers.
Applications and systems that rely on Dynaconf for configuration management, particularly those deployed in environments where configuration sources (environment variables, .env files, CI/CD pipelines) are not adequately secured, are at significant risk. Shared hosting environments and applications using containerized deployments are also particularly vulnerable due to the ease with which configuration values can be manipulated.
• python / server:
import subprocess
import os
# Check Dynaconf version
result = subprocess.run(['pip', 'show', 'dynaconf'], capture_output=True, text=True)
output = result.stdout
if 'Version:' in output:
version = output.split('Version:')[1].strip().split('\n')[0]
if version <= '3.2.9':
print(f'Dynaconf version is vulnerable: {version}')
else:
print('Dynaconf is not installed or version cannot be determined.')• linux / server:
# Check Dynaconf version using pip
python3 -c "import dynaconf; print(dynaconf.__version__)"
# Check for suspicious processes
ps aux | grep -i jinja• generic web: Inspect application logs for any errors or warnings related to Jinja2 template evaluation or unexpected command execution.
disclosure
エクスプロイト状況
EPSS
0.05% (16% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33154 is to upgrade Dynaconf to version 3.2.13 or later, which includes the necessary fixes to prevent unsafe template evaluation. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily restricting access to configuration sources that attackers could potentially manipulate. Implement strict input validation and sanitization on all configuration values to prevent malicious template code from being injected. If possible, disable the @jinja resolver entirely if it is not essential for your application. Monitor system logs for suspicious activity related to template evaluation or command execution. After upgrading, confirm the fix by attempting to inject a simple Jinja2 template expression into a configuration value and verifying that it is not evaluated.
Actualice la biblioteca dynaconf a la versión 3.2.13 o superior. Esto corrige la vulnerabilidad de ejecución remota de código (RCE) causada por la evaluación insegura de plantillas Jinja2. La actualización asegura que las expresiones de plantilla se evalúen en un entorno seguro.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33154 is a Remote Code Execution vulnerability in Dynaconf versions 3.2.9 and earlier, allowing attackers to execute OS commands through unsafe template evaluation.
You are affected if you are using Dynaconf versions 3.2.9 or earlier and have the jinja2 package installed. Check your version using pip show dynaconf.
Upgrade Dynaconf to version 3.2.13 or later. If immediate upgrade is not possible, restrict access to configuration sources and disable the @jinja resolver if not essential.
There is currently no public information indicating active exploitation of CVE-2026-33154, but the potential for exploitation remains significant.
Refer to the Dynaconf project's official security advisories and release notes for details on this vulnerability and the corresponding fix.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。