Jupyter Enterprise Gateway SSTI RCE, CVE‑2026‑44181 (Critical) -DC-Jun2026-203

By /

Listen to this Post

The vulnerability arises from unsafe interpolation of user‑supplied environment variables (KERNEL_XXX) into Jinja2 templates that are used to generate Kubernetes manifests. Specifically, the `KERNEL_POD_NAME` variable is passed directly into the rendering engine without any sanitisation, allowing an attacker to inject arbitrary Jinja2 expressions. Because Jinja2 supports full Python evaluation, a simple expression such as `{{77}}` will be evaluated by the server, turning into `49` in the resulting pod name.
The vulnerable code path begins when the Enterprise Gateway API receives a kernel creation request. The API accepts an `env` dictionary where keys prefixed with `KERNEL_` (e.g. KERNEL_POD_NAME) are later converted to lowercase and fed into the Jinja2 template engine. The template itself (kernel‑pod.yaml.j2) contains placeholders like {{ kernel_pod_name }}, `{{ kernel_working_dir }}` and others. Because there is no escaping or validation of these values, an attacker can place a payload like `{{ cycler.__init__.__globals__.os.popen(“hostname”).read() }}` inside KERNEL_POD_NAME. When the pod manifest is rendered, the payload is executed on the Enterprise Gateway host, delivering remote code execution in the context of the Gateway pod.
Once RCE is achieved, the attacker can read the Kubernetes service account token mounted inside the Gateway pod. The default service account is remarkably powerful: it has `get/watch/list/create/delete` permissions on secrets, pods, configmaps, persistentvolumeclaims, namespaces, rolebindings, and even `sparkapplications` resources. With such privileges the attacker can create a privileged pod or mount the host’s root filesystem (hostPath) to escape the container and fully compromise the entire Kubernetes cluster, including all workloads running on it.

DailyCVE Form:

Platform: Jupyter Enterprise Gateway
Version: 2.0.0rc2 – 3.2.3
Vulnerability: SSTI leads RCE
Severity: Critical
date: 2026‑06‑03

Prediction: 2026‑06‑03 (3.3.0)

What Undercode Say:

Analytics

  • The `KERNEL_POD_NAME` variable is rendered by `Jinja2` without any escaping or sandboxing.
  • The same unsafe interpolation applies to all `KERNEL_xxx` variables (e.g. KERNEL_WORKING_DIR), making many injection points available.
  • The Gateway’s service account has `create/delete` on `secrets` and pods, turning RCE into full cluster takeover.

Bash Commands & Codes

Proof‑of‑concept – SSTI detection

curl -X POST http://enterprise-gateway.svc.cluster.local:8888/api/kernels \
-H "Content-Type: application/json" \
-d '{"name":"python_kubernetes","env":{"KERNEL_POD_NAME":"bdawg-{{77}}"}}'

Remote code execution – OS command injection

curl -X POST http://enterprise-gateway.svc.cluster.local:8888/api/kernels \
-H "Content-Type: application/json" \
-d '{"name":"python_kubernetes","env":{
"KERNEL_POD_NAME":"bdawg-{{cycler.<strong>init</strong>.<strong>globals</strong>.os.popen(\"hostname\").read()}}",
"KERNEL_NAMESPACE":"default"
}}'

After exploitation – check the over‑privileged RBAC

kubectl auth can-i --list

Exploit:

  1. Send an API request to `/api/kernels` with a malicious `KERNEL_POD_NAME` containing a Jinja2 payload.
  2. The Enterprise Gateway renders the pod manifest, executing the payload on the Gateway pod.

3. Read the Kubernetes service account token (`/var/run/secrets/kubernetes.io/serviceaccount/token`).

  1. Use the token to call the Kubernetes API, creating a privileged pod or a pod with `hostPath` mounts.
  2. Escape the container and compromise the entire cluster.

Protection:

  • Upgrade to Jupyter Enterprise Gateway version 3.3.0 or later, where the vulnerable template rendering has been fixed.
  • Apply input validation on all user‑supplied `KERNEL_` variables, rejecting any string that contains Jinja2 delimiters ({{, }}, {%, %}).
  • Sandbox the Jinja2 environment by disabling dangerous built‑ins (e.g. __globals__, popen, subprocess).
  • Reduce RBAC permissions of the Enterprise Gateway service account to the minimum required (e.g. only `create/get` on `pods` in its own namespace).

Impact:

Remote code execution inside the Enterprise Gateway pod, followed by theft of the Kubernetes service account token. The attacker then gains the ability to read secrets, create privileged pods, mount host filesystems, and delete or modify any resource within the cluster. Ultimately, this leads to full compromise of the Kubernetes cluster and all workloads running on it.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top