Haystack AI framework vulnerability allows remote code execution via template injection
A server-side template injection (SSTI) vulnerability in the Haystack orchestration framework enables remote code execution. The flaw affects systems that allow users to define and run custom pipelines.
Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code.
Key facts
- What
- A server-side template injection (SSTI) vulnerability in the Haystack orchestration framework enables remote code execution.
- Incident date
- Jul 31, 2024
- Who
- deepset
- Failure mode
- Brand & Safety Incident
- AI surface
- Agentic Workflow
- Severity
- High
What happened
The vulnerability, identified as CVE-2024-41950, was publicly disclosed on July 31, 2024. It affects Haystack versions 2.3.0 and earlier, allowing attackers to execute arbitrary code if they can create and render Jinja2 templates. The issue was resolved in version 2.3.1.
What broke inside the model
- 01 · TriggerA user prompts the model in public view.
- 02 · Model stepThe model produces unsafe or off-brand output.
- 03 · Control gapNo filter holds the line before publish.
- 04 · FailureThe output goes public unchecked.
- 05 · ConsequenceA reputational or safety incident lands.
A contained signal crosses into output that goes public.
The failure stemmed from the insecure rendering of Jinja2 templates within certain Haystack components. Because the framework failed to neutralize special template elements, attackers could inject malicious code into the template. This allowed for the execution of arbitrary commands on the host machine.
What it cost
Sources
- PrimaryInsecure Jinja2 templates rendered in Haystack Components can lead to RCEgithub.com
- PrimaryCVE-2024-41950 Detail - NVDnvd.nist.gov
- PrimaryCVE-2024-41950 , Haystack+1dbugs.ptsecurity.com
Cite this entry
https://failureindex.ai/failures/haystack-framework-vulnerability-allows-remote-codeAI Failure Index. "Haystack AI framework vulnerability allows remote code execution via template injection" (FI-0565). Realm Labs. https://failureindex.ai/failures/haystack-framework-vulnerability-allows-remote-code (indexed Jun 16, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0565. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
- AI Detection & Response (AIDR)
Realm watches the model's internal state for the signature of unsafe or off-brand generation and can block or reroute the output before it becomes public, in real time rather than after it has been screenshotted.