Thymeleaf server-side template injection, unauth (CVE-2026-40478)

Patch now - CVE-2026-40478 is a critical SSTI in Thymeleaf 3.1.3.RELEASE and prior that grants unauthenticated remote code execution on application servers. Upgrade to version 3.1.4.RELEASE immediately.

Overview

A critical security bypass vulnerability, CVE-2026-40478, has been identified in the Thymeleaf Java template engine. This flaw allows attackers to circumvent the library’s built-in safeguards, potentially leading to a complete compromise of affected applications.

Vulnerability Details

Thymeleaf versions 3.1.3.RELEASE and earlier contain a weakness in their expression execution mechanisms. While the library includes features designed to prevent unauthorized code execution, specific syntax patterns are not properly neutralized. If a vulnerable application passes unvalidated, user-controlled input directly to the template engine, an attacker can inject and execute arbitrary template expressions.

Impact and Severity

This is a Server-Side Template Injection (SSTI) vulnerability with a CVSS score of 9.0 (CRITICAL). An unauthenticated remote attacker could exploit this flaw to execute code on the server with the same privileges as the Java application. Successful exploitation could lead to data theft, modification, or deletion, and full system takeover depending on the application’s environment and permissions. This vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities catalog, but its high severity warrants immediate attention.

Affected Versions

• Thymeleaf versions 3.1.3.RELEASE and all prior versions.

Remediation

The issue is fixed in Thymeleaf version 3.1.4.RELEASE. All users must upgrade to this version immediately.

Steps to Remediate:

1. Identify all applications using the Thymeleaf template engine.
2. Check the Thymeleaf dependency version in your project configuration files (e.g., pom.xml for Maven, build.gradle for Gradle).
3. Update the dependency to version 3.1.4.RELEASE or later.
4. Rebuild and redeploy your applications.

Mitigation Considerations: If immediate upgrading is not possible, review all code paths where user input is passed to Thymeleaf’s template processing functions. Ensure rigorous input validation and sanitization is applied. However, upgrading is the only complete solution, as the vulnerability resides in the library’s core protections.

Security Insight

This vulnerability highlights the persistent risk in abstraction layers like template engines, where security controls can be undermined by parser edge cases. It echoes past SSTI incidents in other frameworks, reminding developers that using a “safe” API does not absolve the need for proper input validation. For more on how software vulnerabilities can lead to incidents, review recent breach reports.

Update - May 2026

One month after publication, CVE-2026-40478 remains unpatched by the Thymeleaf project. No vendor advisory or fixed release has been issued; all versions through 3.1.3.RELEASE.RELEASE are affected. The EPSS score has marginally decreased from 0.00051 (14th percentile) to 0.0005 (16th percentile), indicating declining exploit speculation and no confirmed in-the-wild attacks. CISA KEV has not added this CVE. No related CVEs in the Spring/Thymeleaf expression injection family have been published since April.

Detection signatures remain proactive: monitor for abnormal template expression patterns (e.g., ${...} constructs embedded in user-supplied input fields, particularly in form submissions and URL parameters). Defenders should implement runtime input validation on all user-controlled data that reaches template rendering contexts, restricting allowed expression syntax to safe whitelists. Until a patch arrives, disable dynamic template evaluation where possible, or migrate unaffected custom rendering wrappers that pre-sanitize expressions. Continue tracking EPSS and KEV for any uptick - the low exploitation probability may change if PoC code surfaces in public channels. Review Spring Boot/Thymeleaf integration hardening guides and consider Web Application Firewall rules blocking known expression syntax.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs