Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Summary
| CVE | CVE-2026-40478 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-17 22:16:33 UTC |
| Updated | 2026-06-30 03:19:18 UTC |
| Description | Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE. |
Risk And Classification
Primary CVSS: v3.1 8.5 HIGH from ADP
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS: 0.007760000 probability, percentile 0.512800000 (date 2026-07-02)
Problem Types: CWE-917 | CWE-1336 | CWE-917 CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | CWE-1336 CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine | CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 9 | CRITICAL | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Thymeleaf | Thymeleaf | affected < 3.1.4.RELEASE | Not specified |
| CNA | Thymeleaf | Org.thymeleafthymeleaf-spring5 | affected < 3.1.4.RELEASE | Not specified |
| CNA | Thymeleaf | Org.thymeleafthymeleaf-spring6 | affected < 3.1.4.RELEASE | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.28 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel For Spring Boot 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79 | [email protected] | github.com | Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40478.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-40478 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21772 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-17T23:01:08.580Z | Reported to Red Hat. |
| ADP | 2026-04-17T21:57:01.560Z | Made public. |
Solutions
ADP: RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28
Workarounds
ADP: The vulnerability arises when unvalidated user input is directly passed to the Thymeleaf template engine. To mitigate this, application developers should implement robust input validation and sanitization for all user-supplied data before it is processed by the Thymeleaf template engine. This ensures that malicious expressions cannot be executed.