CVE-2026-40477: Improper restriction of the scope of accessible objects in Thymeleaf expressions

April 15, 2026 (updated April 24, 2026)

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library’s protections to achieve Server-Side Template Injection (SSTI).

References

github.com/advisories/GHSA-r4v4-5mwr-2fwr
github.com/thymeleaf/thymeleaf
github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr
nvd.nist.gov/vuln/detail/CVE-2026-40477

Code Behaviors & Features

Detect and mitigate CVE-2026-40477 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →