# [CRIT] [GHSA / CRITICAL] CVE-2026-44181: Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection resulting in Remote Code Execution **Source:** GitHub Security Advisories **Published:** 2026-06-03 **Article:** https://github.com/advisories/GHSA-f49j-v924-fx9w ## Threat Profile Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection resulting in Remote Code Execution ### Summary The environment variables (`KERNEL_XXX`) used during the rendering of the Kubernetes manifest are vulnerable to Server Side Template Injection (SSTI). By including Jinja2 template expressions it is possible to execution Python code and OS Commands in the Enterprise Gateway service. The code can use or steal the Kubernetes service account token, which can steal Kubernetes se… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-44181` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1059.006** — Command and Scripting Interpreter: Python - **T1611** — Escape to Host - **T1078.004** — Valid Accounts: Cloud Accounts - **T1552.005** — Unsecured Credentials: Cloud Instance Metadata API - **T1059.004** — Command and Scripting Interpreter: Unix Shell ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Jinja2 SSTI payload to Jupyter Enterprise Gateway /api/kernels (CVE-2026-44181) `UC_134_1` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstSeen max(_time) as lastSeen values(Web.http_user_agent) as user_agents values(Web.url) as urls from datamodel=Web.Web where Web.http_method=POST (Web.url="*/api/kernels*" OR Web.uri_path="*/api/kernels*") by Web.src, Web.dest, Web.dest_port | `drop_dm_object_name(Web)` | join type=inner src [ search (sourcetype IN ("stream:http","cef","nginx:plus:kv","istio_envoy_access","bro:http","suricata") OR index IN (proxy,waf,apigw)) earliest=-1d "/api/kernels" ("KERNEL_POD_NAME" OR "KERNEL_WORKING_DIR" OR "KERNEL_NAMESPACE") "{{" ("__globals__" OR "__class__" OR "__mro__" OR "__subclasses__" OR "__builtins__" OR "cycler.__init__" OR "os.popen" OR "os.system" OR "subprocess" OR "__import__") | rename clientip AS src | stats count by src | fields src ] | sort - lastSeen ``` ### Enterprise Gateway service account creates privileged / hostPath / RBAC-escalating pod (CVE-2026-44181 post-exploit) `UC_134_2` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstSeen max(_time) as lastSeen values(Change.command) as manifests values(Change.object_path) as paths from datamodel=Change where Change.user="*enterprise-gateway*" Change.action IN ("created","updated","modified") (Change.object IN ("pods","rolebindings","clusterrolebindings","secrets") OR Change.object_category IN ("pods","rolebindings","clusterrolebindings","secrets")) by Change.user, Change.action, Change.object, Change.object_path, Change.src | `drop_dm_object_name(Change)` | where match(manifests, "(?i)\"privileged\"\\s*:\\s*true|hostPath|\"hostNetwork\"\\s*:\\s*true|\"hostPID\"\\s*:\\s*true|kind:\\s*(Cluster)?RoleBinding") OR object IN ("secrets","rolebindings","clusterrolebindings") | sort - lastSeen ``` ### Enterprise Gateway python container spawns shell or reads K8s service-account token (CVE-2026-44181 RCE) `UC_134_3` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstSeen max(_time) as lastSeen values(Processes.process) as cmdlines values(Processes.process_path) as paths from datamodel=Endpoint.Processes where (Processes.parent_process_name="python" OR Processes.parent_process_name="python3" OR Processes.parent_process_name="python3.10" OR Processes.parent_process_name="python3.11" OR Processes.parent_process_name="python3.12") (Processes.process_name IN ("sh","bash","dash","ash","hostname","id","whoami","uname","curl","wget","nc","ncat","kubectl") OR Processes.process="*/var/run/secrets/kubernetes.io/serviceaccount*" OR Processes.process="*os.popen*" OR Processes.process="*os.system*") by host, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process, Processes.process_path | `drop_dm_object_name(Processes)` | where like(host, "%enterprise-gateway%") OR like(parent_process_name, "%python%") | sort - lastSeen ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("python","python3","python3.10","python3.11","python3.12") | where (FileName in~ ("sh","bash","dash","ash","hostname","id","whoami","uname","curl","wget","nc","ncat","kubectl")) or ProcessCommandLine has "/var/run/secrets/kubernetes.io/serviceaccount/token" or ProcessCommandLine has_any ("os.popen","os.system","subprocess.Popen") | where DeviceName has_any ("enterprise-gateway","jupyter","jeg") or InitiatingProcessParentFileName has_any ("tini","containerd-shim","runc","docker-init") or InitiatingProcessCommandLine has_any ("enterprise_gateway","jupyter_enterprise_gateway") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, FileName, ProcessCommandLine, FolderPath, SHA256 | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-44181` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 6 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.