Thymeleaf server-side template injection, unauth (CVE-2026-40478)

Overview

A critical security bypass vulnerability, CVE-2026-40478, has been identified in the Thymeleaf Java template engine. This flaw allows attackers to circumvent the library’s built-in safeguards, potentially leading to a complete compromise of affected applications.

Vulnerability Details

Thymeleaf versions 3.1.3.RELEASE and earlier contain a weakness in their expression execution mechanisms. While the library includes features designed to prevent unauthorized code execution, specific syntax patterns are not properly neutralized. If a vulnerable application passes unvalidated, user-controlled input directly to the template engine, an attacker can inject and execute arbitrary template expressions.

Impact and Severity

This is a Server-Side Template Injection (SSTI) vulnerability with a CVSS score of 9.0 (CRITICAL). An unauthenticated remote attacker could exploit this flaw to execute code on the server with the same privileges as the Java application. Successful exploitation could lead to data theft, modification, or deletion, and full system takeover depending on the application’s environment and permissions. This vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities catalog, but its high severity warrants immediate attention.

Affected Versions

• Thymeleaf versions 3.1.3.RELEASE and all prior versions.

Remediation

The issue is fixed in Thymeleaf version 3.1.4.RELEASE. All users must upgrade to this version immediately.

Steps to Remediate:

1. Identify all applications using the Thymeleaf template engine.
2. Check the Thymeleaf dependency version in your project configuration files (e.g., pom.xml for Maven, build.gradle for Gradle).
3. Update the dependency to version 3.1.4.RELEASE or later.
4. Rebuild and redeploy your applications.

Mitigation Considerations: If immediate upgrading is not possible, review all code paths where user input is passed to Thymeleaf’s template processing functions. Ensure rigorous input validation and sanitization is applied. However, upgrading is the only complete solution, as the vulnerability resides in the library’s core protections.

Security Insight

This vulnerability highlights the persistent risk in abstraction layers like template engines, where security controls can be undermined by parser edge cases. It echoes past SSTI incidents in other frameworks, reminding developers that using a “safe” API does not absolve the need for proper input validation. For more on how software vulnerabilities can lead to incidents, review recent breach reports.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs