EXECUTIVE SUMMARY:
Dynaconf is affected by a high-severity vulnerability tracked as CVE-2026-33154, with a CVSS score of 7.5, impacting versions ≤ 3.2.12. The issue stems from unsafe template evaluation in the @Jinja resolver, leading to Server-Side Template Injection (SSTI) and potential Remote Code Execution (RCE). When the Jinja2 engine is installed, configuration values containing template expressions are processed without a sandboxed environment, enabling malicious code execution. This vulnerability becomes exploitable when attackers can influence configuration sources such as environment variables, .env files, or CI/CD pipeline inputs. The absence of proper security boundaries allows access to Python internal attributes, which can be leveraged to execute system-level commands. Furthermore, the @Format resolver increases risk by enabling object traversal within Python’s runtime, potentially exposing sensitive data like environment variables and credentials. Attackers can combine these weaknesses to gain deeper access into the application context. Successful exploitation may lead to unauthorized command execution, exposure of secrets, and full compromise of the affected application process.
RECOMMENDATION:
We strongly recommend you update dynaconf to version 3.2.13.
REFERENCES:
The following reports contain further technical details: