CVE-2026-46639 in Twig
Summary
by MITRE • 07/15/2026
Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false, disabling property and method policy checks and allowing an attacker with write access to a sandboxed Twig template to read public properties or invoke public getters on objects passed to the template engine. This issue is fixed in version 3.26.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability exists within the Twig template engine for PHP, specifically affecting versions between 3.24.0 and 3.26.0 inclusive. This represents a critical security flaw that undermines the sandboxing mechanisms designed to protect applications from malicious template code execution. The issue stems from how the template compiler handles object-destructuring assignments in sandboxed environments, creating a pathway for privilege escalation through improper access control enforcement.
The technical flaw manifests when the CoreExtension::getAttribute() method is compiled with a hardcoded sandbox argument set to false. This parameter normally controls whether property and method access policies are enforced during template execution. When hardcoded to false, the template engine bypasses all security checks that would typically prevent unauthorized access to object members. The vulnerability specifically affects public properties and methods that could be accessed through getter functions, effectively allowing attackers to extract sensitive information from objects passed into the templating system.
From an operational impact perspective, this vulnerability creates a severe risk for applications using Twig templates in environments where user input is processed through the template engine. Attackers with write access to sandboxed templates can leverage this flaw to read public properties and invoke public methods on objects that should remain protected. This could potentially expose sensitive application data, configuration information, or internal object states that were intended to be inaccessible to untrusted template code. The attack vector is particularly dangerous because it operates within the legitimate template execution path, making detection more challenging.
The vulnerability aligns with CWE-284 Access Control Issues, specifically targeting improper access control enforcement in sandboxed environments. From an ATT&CK framework perspective, this maps to T1059 Command and Scripting Interpreter and T1566 Impair Defenses, as it allows attackers to bypass security controls through legitimate template processing mechanisms. The flaw demonstrates a classic case of insufficient input validation within trusted code paths, where hardcoded security parameters create exploitable conditions.
Organizations should immediately upgrade to Twig version 3.26.0 or later to remediate this vulnerability. Additionally, administrators should review existing templates for potential malicious code injection and implement comprehensive monitoring of template modifications. Security teams should also consider implementing runtime protections that detect unusual object access patterns and establish strict template validation policies. The fix addresses the core issue by properly enforcing sandbox security parameters during compilation, ensuring that attribute access controls remain active even during object-destructuring operations.