Security Vulnerability: CVE-2026-25526 in jinjava dependency (Critical CVSS 9.8)

[devin-ai-integration]

Topic

Security Vulnerability Report - CVE-2026-25526 affecting jinjava dependency

Requested by

This investigation was requested by Ilja Herdt (Ilja Herdt (Airbyte) (@iherdt-airbyte)) based on a customer security scan report (Zendesk ticket #16215).

Summary

A critical security vulnerability (CVE-2026-25526) has been identified in the com.hubspot.jinjava:jinjava dependency used by Airbyte. This vulnerability allows arbitrary Java code execution through a ForTag bypass in the Jinjava template engine.

Vulnerability Details

Field	Value
CVE ID	CVE-2026-25526
Severity	Critical (CVSS 9.8)
CVSS Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE	CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine)
Affected Versions	< 2.7.6, 2.8.0 ≤ Version < 2.8.3
Fixed Versions	2.7.6, 2.8.3
JFrog ID	XRAY-939436

Impact

The vulnerability enables attackers to bypass Jinjava's sandbox restrictions through the ForTag, potentially leading to:

• Arbitrary Java code execution
• Access to sensitive data and credentials
• Full system compromise

Affected Airbyte Component

File: airbyte-cdk/bulk/toolkits/legacy-task-load-low-code/build.gradle
Current Version: com.hubspot.jinjava:jinjava:2.7.4
Status: VULNERABLE (version < 2.7.6)

api 'com.hubspot.jinjava:jinjava:2.7.4'

Recommended Action

Upgrade the jinjava dependency from version 2.7.4 to version 2.7.6 (or 2.8.3+ if migrating to the 2.8.x branch).

Additional Context

This was discovered during a customer security scan using JFrog Xray. The customer is running a self-managed enterprise deployment and this vulnerability is blocking their ability to pull the connector-builder-server image due to their security policies.

Related CVEs in the Same Scan

The security scan also identified other vulnerabilities that may warrant attention:

• CVE-2025-68664 (LangChain Core) - CVSS 8.2 - Serialization injection
• CVE-2025-65106 (LangChain Core) - Template injection
• CVE-2025-58056/57 (Netty) - HTTP request smuggling/DoS

References

• HubSpot Jinjava Security Advisory
• Devin investigation session: https://app.devin.ai/sessions/50e265855bed419396525263029519ba

---

Internal Tracking: https://github.com/airbytehq/oncall/issues/11161

[octavia-bot]

AI Triage Starting...

Thank you for opening this issue! I'm an AI assistant that will help with initial triage.

I'll review your issue and:

• Ask clarifying questions if needed
• Provide immediate guidance if available
• Escalate to the appropriate team if this requires engineering attention

View playbook

• 🔗 Session URL: https://app.devin.ai/sessions/b5316a2da0c74665887d0bb45b6fc666

✅ Devin AI session created successfully!

[devin-ai-integration]

Hi @iherdt-airbyte, thank you for reporting this security vulnerability!

I've verified that the jinjava dependency at version 2.7.4 exists in airbyte-cdk/bulk/toolkits/legacy-task-load-low-code/build.gradle and is indeed vulnerable to CVE-2026-25526.

Confirmed Details:

• Affected File: airbyte-cdk/bulk/toolkits/legacy-task-load-low-code/build.gradle
• Current Version: 2.7.4 (vulnerable)
• Required Version: 2.7.6+ or 2.8.3+
• Severity: Critical (CVSS 9.8)

This is a valid security issue that requires a dependency upgrade. I'm escalating this to the internal oncall team for prioritized remediation.

---

This message is generated from Devin.ai (internal session link).

[devin-ai-integration]

This issue has been escalated to the internal oncall team for prioritized remediation.

Internal Tracking: https://github.com/airbytehq/oncall/issues/11161

The team will review and work on upgrading the jinjava dependency to a patched version. We'll update this issue once the fix is available.

---

This message is generated from Devin.ai (internal session link).