What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Vulnerability

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/13/2026

CVE-2026-41901: Thymeleaf SSTI Bypass Breaks Template Sandboxing—Enterprise Java Under Fire

TL;DR

A critical Server-Side Template Injection (SSTI) vulnerability in Thymeleaf (through version 3.1.4.RELEASE) breaks the library's sandboxing mechanisms, allowing attackers to execute arbitrary expressions—and ultimately arbitrary code—by exploiting how unsanitized user input flows into restricted template contexts. CVSS 9.0. Fix: upgrade to Thymeleaf 3.1.5.RELEASE immediately.

What Happened

On May 12, 2026, Thymeleaf developers disclosed CVE-2026-41901, a critical security bypass in the popular Java server-side template engine. The vulnerability is tracked under CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement.

Thymeleaf is widely embedded in Spring Boot applications, legacy enterprise Java systems, and cloud-native architectures across financial services, healthcare, e-commerce, and SaaS. It's trusted by millions of developers to safely render dynamic content while providing "restricted" or "sandboxed" execution contexts to prevent abuse.

But this vulnerability breaks that contract completely.

Technical Details

The Sandboxing Illusion

Thymeleaf's sandboxing aims to prevent dangerous constructs—like arbitrary Java method invocation or system calls—from running inside templates. If a developer marks a section as "restricted," the engine is supposed to block risky expressions.

The Bypass

The flaw lies in improper neutralization of special Expression Language (EL) constructs. Specifically:

An attacker crafts a malicious expression using specific language features that the sandbox's allowlist/blocklist doesn't properly guard against.
If an application developer passes unsanitized user input into the template engine, and that input contains these crafted expressions, and the input is used inside a sandboxed context, the expressions execute anyway.
The vulnerability allows expression language injection (${...}, [(...)], and other EL syntax) to bypass restrictions.
Result: Code execution with the privileges of the Thymeleaf process—typically the application server itself.

Attack Surface

Vulnerable in: Thymeleaf <= 3.1.4.RELEASE

Fixed in: Thymeleaf 3.1.5.RELEASE

Affected flows:

User-supplied form data passed to templates
URL parameters rendered in restricted template sections
Database records displayed in dynamically generated HTML
API responses fed into template rendering pipelines

Exploitation Path

1. Attacker identifies a Java web application using Thymeleaf

2. Attacker locates a vector where user input flows into template rendering (search box, product name, user profile field, etc.)

3. Attacker crafts a Thymeleaf EL expression that bypasses sandboxing (e.g., calling arbitrary Java methods or accessing restricted objects)

4. Application is vulnerable if the input is rendered in a "restricted" context that the developer thought was safe

5. Expression executes server-side, giving attacker code execution

Real-World Example

Search input: "test' + T(java.lang.Runtime).getRuntime().exec('whoami') + '"

If this passes through Thymeleaf's restricted template rendering without proper input validation, the sandbox bypass allows the expression to execute.

Lyrie Assessment

Why This Matters for CISOs

1. Widespread Risk: Thymeleaf is ubiquitous in Spring Boot microservices, especially in enterprises built on Java for the last decade. If you use Java web frameworks, you almost certainly depend on Thymeleaf.

2. False Confidence: Developers familiar with Thymeleaf's "restricted contexts" may believe their input-handling is safe because they're using the sandbox feature. This vulnerability shatters that assumption.

3. Supply Chain Consequences: If attackers compromise a Thymeleaf application, they gain RCE on enterprise infrastructure. From there, lateral movement to databases, APIs, and cloud resources is trivial.

4. Detection Difficulty: SSTI attacks are notoriously hard to detect with WAF/IDS rules. The malicious payload looks like normal template syntax and may not trigger signature-based detection.

5. Autonomous Defense Gap: Traditional EDR solutions detect the result of code execution (process spawning, file writes, network calls). But sophisticated SSTI exploitation can use in-process attacks (memory manipulation, thread hijacking) that leave minimal traces. Lyrie's agentic defense can recognize abnormal template evaluation patterns and shut down exploitation in-process before the attacker's code runs.

Recommended Actions

Immediate (< 24 hours):

1. Inventory all Java applications using Thymeleaf and identify which versions are deployed.

2. Test upgrades to Thymeleaf 3.1.5.RELEASE in a staging environment to ensure no regressions.

3. Prioritize patching for:

- Internet-facing applications (highest risk)

- Applications handling sensitive data (PII, financial records, credentials)

- Applications with user-generated content or community features

Short-term (1 week):

1. Patch production: Deploy Thymeleaf 3.1.5.RELEASE across all affected services.

2. Input validation audit: Even with the patch, review where user input flows into templates. Enforce strict input validation (allowlist approach).

3. WAF rules: Deploy rules to detect SSTI-like payloads in URL parameters, form fields, and API payloads (e.g., signatures for T(java.lang, java.lang.Runtime, method invocation syntax).

Ongoing:

1. Monitoring: Log all template rendering errors and suspicious EL evaluation. Flag any abnormal template parsing or expression failures.

2. Dependency scanning: Integrate Thymeleaf version checks into your SBOM/dependency scanning pipeline.

3. Threat hunting: Search logs for evidence of SSTI exploitation (malformed EL expressions, Runtime class calls, process spawning from application servers).

4. Agentic hardening: Deploy runtime behavior analysis on application servers to detect anomalous thread spawning, system calls, or memory access patterns that indicate post-exploitation activity.

Recommended Actions

For Development Teams:

Upgrade Thymeleaf to 3.1.5.RELEASE immediately
Remove reliance on sandboxing as the primary security control; use input validation instead
Use Spring Security's built-in expression restrictions (hasRole(), hasAuthority()) rather than custom EL

For Security Teams:

Flag all Thymeleaf deployments <= 3.1.4 as critical remediation targets
Test detection rules for SSTI payloads in your SIEM
Brief incident response on SSTI exploitation tactics (Java reflection, process execution, JAR loading from memory)

For Infrastructure Teams:

Deploy application isolation (containers, VMs) to limit the blast radius of RCE
Restrict outbound network access from application servers to only required destinations
Monitor Java process behavior (thread creation, file access, network connections) in real-time