Improper restriction of the scope of accessible objects in Thymeleaf expressions

GHSA-r4v4-5mwr-2fwr · CVE-2026-40477

Published Apr 15, 2026 · Modified May 5, 2026

Description

Impact

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).

Patches

This has been fixed in Thymeleaf 3.1.4.RELEASE.

Workarounds

No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.

Credits

Thanks to Thomas Reburn (Praetorian) for responsible disclosure.

References

9.0 / 10

CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Packages

Maven/org.thymeleaf:thymeleaf

Fix 3.1.4.RELEASE

Introduced 0

81 affected versions

1.0.01.0.0-beta11.0.0-beta21.0.0-beta31.0.0-beta41.0.0-beta51.0.11.1.01.1.11.1.21.1.31.1.41.1.52.0.02.0.0-beta12.0.0-beta22.0.12.0.102.0.112.0.12 +61 more

Maven/org.thymeleaf:thymeleaf-spring5

Fix 3.1.4.RELEASE

Introduced 0

22 affected versions

3.0.10.RELEASE3.0.11.RELEASE3.0.12.RELEASE3.0.13.RELEASE3.0.14.RELEASE3.0.15.RELEASE3.0.3.M13.0.4.M23.0.5.M33.0.6.M43.0.7.RC13.0.8.RELEASE3.0.9.RELEASE3.1.0.M13.1.0.M23.1.0.M33.1.0.RC13.1.0.RC23.1.0.RELEASE3.1.1.RELEASE +2 more

Maven/org.thymeleaf:thymeleaf-spring6

Fix 3.1.4.RELEASE

Introduced 0

9 affected versions

3.1.0.M13.1.0.M23.1.0.M33.1.0.RC13.1.0.RC23.1.0.RELEASE3.1.1.RELEASE3.1.2.RELEASE3.1.3.RELEASE

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes