CVE-2026-46638 in Twiginfo

Summary

by MITRE • 07/15/2026

Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing the cached template to use tags, filters, and functions that should have been denied by SecurityPolicy::checkSecurity(). This issue is fixed in version 3.26.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability described affects Twig, a popular template engine for PHP applications, specifically impacting versions prior to 3.26.0. This security flaw represents a critical sandbox bypass mechanism that undermines the intended security boundaries within the template rendering system. The issue stems from improper handling of template caching mechanisms when executing includes within sandboxed contexts, creating a pathway for unauthorized template operations.

The technical implementation flaw occurs within the template processing pipeline where the {% sandbox %} directive fails to properly re-evaluate security policies when including templates that were previously loaded outside of the sandboxed environment. This creates a scenario where cached templates maintain their original security context rather than being re-validated against the current sandbox restrictions. The SecurityPolicy::checkSecurity() method, which should enforce access controls and deny unauthorized operations, is effectively bypassed for cached template content.

From an operational perspective, this vulnerability allows attackers to execute potentially malicious template operations that should have been restricted by security policies. An attacker could leverage this flaw to include previously loaded templates containing forbidden tags, filters, or functions that would normally be denied within the sandboxed context. This creates a persistent threat vector where previously authorized template content can be reused in restricted environments without proper security re-evaluation.

The vulnerability directly maps to CWE-284 Access Control Bypass and aligns with ATT&CK technique T1059 Command and Scripting Interpreter, specifically targeting the execution of unauthorized template operations. The security implications extend beyond simple permission bypass to encompass potential code execution and privilege escalation within applications using affected Twig versions. Organizations utilizing PHP applications with sandboxed template processing are particularly at risk when running vulnerable versions.

Mitigation strategies include immediate upgrade to Twig version 3.26.0 or later, which implements proper security policy re-evaluation for cached templates within sandboxed contexts. Additional defensive measures involve implementing comprehensive template security policies, regular security audits of template usage patterns, and monitoring for unauthorized template operations. Organizations should also consider implementing template validation mechanisms and restricting template loading from untrusted sources to minimize the attack surface.

The fix implemented in version 3.26.0 addresses the core issue by ensuring that SecurityPolicy::checkSecurity() is properly invoked regardless of whether templates are loaded within or outside sandbox contexts. This change enforces consistent security policy enforcement across all template operations, preventing the cached template bypass that previously allowed unauthorized access to restricted template features and maintaining proper isolation between different template execution environments.

Responsible

GitHub M

Reservation

05/15/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!