CVE-2026-49981 in Twig
Summary
by MITRE • 07/15/2026
Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was originally checked with a different or empty policy. This issue is fixed in version 3.27.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability affects the Twig template engine for PHP and represents a critical sandbox bypass flaw that undermines the security model designed to protect applications from malicious template code execution. The issue stems from improper cache management during template compilation and rendering processes, specifically within the template sandboxing mechanism that controls which filters, tags, and functions are permitted during template execution. When a Template instance is constructed, the system evaluates whether the template adheres to configured security policies, but this evaluation result becomes cached and persists across multiple render operations even when the sandbox configuration changes between invocations.
The technical flaw manifests as a cache invalidation problem where the per-template security verdicts are computed once during initial template construction and then reused regardless of subsequent sandbox state modifications. This behavior creates a scenario where a template that was originally validated with an extensive allow-list policy might later be executed with a restricted policy, potentially allowing previously forbidden operations to succeed. The vulnerability essentially allows attackers to bypass security restrictions by leveraging the cached evaluation results from earlier template executions when different sandbox configurations were active.
The operational impact of this vulnerability is significant as it enables arbitrary code execution within the context of applications using Twig templates, particularly affecting web applications that process untrusted user input through template rendering. Attackers could craft malicious templates that appear harmless under one security policy but exploit the cached evaluation results to execute forbidden operations when the same template is rendered later with a different policy configuration. This issue affects any application where Twig templates are used for dynamic content generation and where sandbox policies might change between template renderings.
The fix implemented in version 3.27.0 addresses this by ensuring that template security verdicts are recomputed or properly invalidated when sandbox states change between render operations, preventing the reuse of cached security assessments that may no longer be valid. This update aligns with secure coding practices that require proper cache invalidation when security-relevant state changes occur, and it demonstrates adherence to principles outlined in the CWE-254 category for security misconfigurations. Organizations should prioritize updating to version 3.27.0 or later to mitigate this risk, while also implementing monitoring for template rendering activities to detect potential exploitation attempts. The vulnerability does not directly map to specific ATT&CK techniques but represents a broader class of sandbox bypass vulnerabilities that could enable privilege escalation and arbitrary code execution within affected applications.