CVE-2026-33154 in dynaconf
Summary
by MITRE • 03/20/2026
dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
Dynaconf serves as a comprehensive configuration management solution for python applications, providing seamless integration with various configuration sources including environment variables, files, and remote services. The tool's design relies heavily on jinja2 templating engine for dynamic configuration value resolution, which introduces a critical security vulnerability when the jinja2 package is present in the environment. This vulnerability manifests as a server-side template injection flaw that allows attackers to execute arbitrary code on the server hosting the dynaconf application.
The technical flaw resides in the @Jinja resolver implementation within dynaconf's configuration processing pipeline. When the jinja2 package is installed, dynaconf automatically attempts to evaluate configuration values containing template expressions without implementing proper sandboxing mechanisms. This unsafe template evaluation process occurs during configuration loading, where user-supplied values are processed through the jinja2 engine without any restrictions on the template operations that can be performed. The vulnerability stems from the lack of template sandboxing, which permits malicious template expressions to access underlying system resources, execute arbitrary commands, and potentially escalate privileges within the application environment.
The operational impact of this vulnerability extends beyond simple code execution to encompass full system compromise potential. An attacker who can influence configuration values through any vector including environment variables, configuration files, or remote configuration sources can craft malicious template expressions that exploit the unsafe evaluation process. This creates a high-severity threat landscape where attackers can access system files, execute shell commands, and potentially gain unauthorized access to sensitive data or system resources. The vulnerability affects any application using dynaconf with jinja2 installed, making it particularly dangerous in environments where configuration values may come from untrusted sources.
The fix implemented in version 3.2.13 addresses this vulnerability by introducing proper template sandboxing mechanisms within the @Jinja resolver. This patch ensures that template evaluation occurs within a restricted environment that prevents access to dangerous template functions and system resources. The mitigation strategy aligns with established security practices for preventing template injection attacks and demonstrates the importance of proper input validation and sandboxing in template processing systems. Organizations using affected versions should immediately upgrade to version 3.2.13 or later to eliminate this security risk.
This vulnerability maps directly to CWE-74 and CWE-94 within the Common Weakness Enumeration catalog, specifically addressing code injection vulnerabilities through unsafe template evaluation. From an attack framework perspective, this issue aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1566 for phishing campaigns that could lead to configuration manipulation. The vulnerability also relates to privilege escalation and remote code execution attack patterns commonly observed in modern exploitation frameworks, highlighting the critical nature of proper template sandboxing in configuration management tools.