Affected versions

Twig versions >=3.24.0, <3.26.0 are affected by this security issue.

The issue has been fixed in Twig 3.26.0.

The object-destructuring assignment syntax introduced in Twig 3.24.0 generates a call to CoreExtension::getAttribute() with the $sandboxed argument hardcoded to false, regardless of whether a SandboxExtension is active. This permanently disables the sandbox's property and method policy checks for every destructuring expression.

ObjectDestructuringSetBinary::compile() emits:

        1
2
3
        CoreExtension::getAttribute($this->env, $this->source, ..., \Twig\Template::ANY_CALL, false, false, false, ...);
//                                                                                ^^^^^
//                                                                       sandbox check never runs
    

Whereas GetAttrExpression::compile() correctly passes $env->hasExtension(SandboxExtension::class).

An attacker with write access to a sandboxed Twig template can read any public property or invoke any public getter on objects passed to the template engine, bypassing SecurityPolicy restrictions. The exploit requires only the {% do %} tag to be in allowedTags, which is a common configuration.

Resolution

The destructuring compiler now forwards the active sandbox flag to getAttribute() so property/method allowlists are enforced.

Credits

We would like to thank Anvil Secure in collaboration with Claude and Anthropic Research for reporting and fixing the issue.

Published in #Security Advisories #Twig

CVE-2026-46639 Sandbox property and method bypass via object-destructuring assignment

Affected versions

Description

Resolution

Credits

Comments

Become a Symfony contributor