Patches critical Thymeleaf SSTI protection bypass

TL;DR — A critical Thymeleaf expression-execution bypass can enable server-side template injection (SSTI) when unvalidated user input is passed to the template engine.

What happened

Thymeleaf is a server-side Java template engine commonly used to render dynamic HTML in web applications, including Spring-based stacks.

CVE-2026-40478 describes a Critical (CVSS 3.1 9.1) security bypass in Thymeleaf’s expression execution mechanisms: although Thymeleaf provides defenses intended to prevent expression injection, it fails to properly neutralize specific syntax patterns, allowing execution of unauthorized expressions.

In practical terms, this becomes an unauthenticated remote SSTI risk when an application passes unvalidated user input into Thymeleaf expression/template evaluation paths. “Protection bypass” flaws in template engines are high-consequence because they turn a common developer footgun (untrusted input reaching templates) into full server-side execution in the application’s trust boundary.

Who is impacted

• Applications using Thymeleaf where untrusted input can reach template/expression evaluation.
• Affected components and versions (per CVE record):

What to do now

• Follow vendor remediation guidance and apply the patched release.

  "This issue has ben fixed in version 3.1.4.RELEASE."

• Inventory services and build artifacts that include thymeleaf, thymeleaf-spring5, or thymeleaf-spring6, and prioritize internet-exposed apps.
• Audit template rendering and expression usage to ensure untrusted input is not passed directly into template/expression evaluation.
• If compromise is suspected, investigate server logs and request traces for suspicious template/expression payload patterns and rotate secrets accessible to impacted services per your incident response playbooks.