How is CVE-2026-45017 exploited?

Network reachability (required): The vulnerable template engine is reachable over the network, so an attacker must be able to submit or influence template content delivered to the application remotely. Authentication (not-required): No credentials are needed; the CVSS vector specifies PR:N, meaning any party that can supply template input can attempt exploitation. Victim interaction (not-required): No user action is required to trigger the vulnerability; the malicious template is processed automatically by the engine. Attack complexity (info): The base exploit is straightforward and condition-free (AC:L), though the CVSS vector notes an attack requirement of AT:P, meaning the attacker must have or obtain the ability to author or inject template content.

What is the impact of CVE-2026-45017?

An attacker reads arbitrary files on the host filesystem, limited only to files accessible by the process running the Liquid engine. Targeted files can include application secrets, API keys, database credentials, and environment configuration files. Source code and internal template files within the application directory are exposed if the process has read access to them.

Back to search

HIGHCVE-2026-45017Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-45017: Python Liquid: Absolute paths escape filesystem loader search path

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a path traversal vulnerability in Python Liquid, a Python engine for the Liquid template language. An unauthenticated attacker who controls template content can pass an absolute file path to the {% include %} or {% render %} tags, bypassing the FileSystemLoader search path restriction and causing the engine to read arbitrary files on the host. Successful exploitation exposes the contents of any file readable by the application process, including secrets, configuration files, and source code. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment version 2.2.0 or a later fix is published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle the jg-rp/liquid package at an affected version.

Available

Triage

HarborGuard scores this finding at CVSS 8.2 (High) and can weight it further against each environment's compliance policy before routing the alert to the appropriate team inbox inside the customer organization.

Available

Patch

Because no fix version has been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable template engine is reachable over the network, so an attacker must be able to submit or influence template content delivered to the application remotely.
AuthenticationNot required
No credentials are needed; the CVSS vector specifies PR:N, meaning any party that can supply template input can attempt exploitation.
Victim interactionNot required
No user action is required to trigger the vulnerability; the malicious template is processed automatically by the engine.
Attack complexityDetail
The base exploit is straightforward and condition-free (AC:L), though the CVSS vector notes an attack requirement of AT:P, meaning the attacker must have or obtain the ability to author or inject template content.

Blast Radius

An attacker reads arbitrary files on the host filesystem, limited only to files accessible by the process running the Liquid engine.
Targeted files can include application secrets, API keys, database credentials, and environment configuration files.
Source code and internal template files within the application directory are exposed if the process has read access to them.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images containing the jg-rp/liquid package below version 2.2.0. Because no upstream fix has been confirmed at time of publication, the recommended compensating controls include restricting who can author or submit templates processed by the application, applying network-policy isolation to limit what the application process can reach, and ensuring the application runs with the minimum filesystem permissions needed. HarborGuard will re-evaluate the advisory on every ingest cycle, and the moment a confirmed fix version is published upstream, a patched-image rebuild will become available. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads.

See how HarborGuard automates this

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

jg-rp / liquid
< 2.2.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/jg-rp/liquid/security/advisories/GHSA-8p4x-wr7x-3788