CVE-2026-46639
Twig: Sandbox property and method bypass via object-destructuring assignment
Description
### Description The object-destructuring assignment syntax introduced in Twig 3.24.0 generates a call to `CoreExtension::getAttribute()` with the `$sandboxed` argument hardcoded to `false`, regardless of whether a `SandboxExtension` is active. This permanently disables the sandbox's property and method policy checks for every destructuring expression. `ObjectDestructuringSetBinary::compile()` emits: ```php CoreExtension::getAttribute($this->env, $this->source, ..., \Twig\Template::ANY_CALL, false, false, false, ...); // ^^^^^ // sandbox check never runs ``` Whereas `GetAttrExpression::compile()` correctly passes `$env->hasExtension(SandboxExtension::class)`. An attacker with write access to a sandboxed Twig template can read any public property or invoke any public getter on objects passed to the template engine, bypassing `SecurityPolicy` restrictions. The exploit requires only the `{% do %}` tag to be in `allowedTags`, which is a common configuration. ### Resolution The destructuring compiler now forwards the active sandbox flag to `getAttribute()` so property/method allowlists are enforced. ### Credits Twig would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting and fixing the issue.
Affected packages (2)
- Debian/php-twigfrom 0, < 3.26.0-1
- Packagist/twig/twig>= 3.24.0, < 3.26.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (5)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-46639
- PATCHhttps://github.com/twigphp/Twig
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-46639.yaml
- WEBhttps://github.com/twigphp/Twig/security/advisories/GHSA-mm6w-gr99-p3jj
- WEBhttps://symfony.com/cve-2026-46639