CVE-2026-47732: CWE-863: Incorrect Authorization in twigphp Twig
Twig, a PHP template language, has an authorization vulnerability prior to version 3.26.0. Several Twig language constructs allow sandboxed template authors to invoke the __toString() method on objects without proper authorization checks. This occurs due to PHP string coercion on Stringable operands bypassing SecurityPolicy::checkMethodAllowed(). The issue is fixed in Twig version 3.26.0.
AI Analysis
Technical Summary
CVE-2026-47732 describes an incorrect authorization vulnerability (CWE-863) in twigphp Twig versions before 3.26.0. The vulnerability arises because multiple Twig language constructs trigger PHP string coercion on Stringable objects without consulting the SecurityPolicy::checkMethodAllowed() method. This allows sandboxed template authors to invoke the __toString() method on objects accessible in the render context through various expressions and tags, including conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the range operator. This bypass of authorization checks could lead to unintended method invocation. The vulnerability is resolved in Twig version 3.26.0.
Potential Impact
An attacker with the ability to author sandboxed templates can invoke the __toString() method on objects reachable in the rendering context without proper authorization. This could lead to unauthorized code execution paths or information disclosure depending on the __toString() implementations. The CVSS 4.0 score is 7.1 (high), indicating a significant risk if exploited. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Twig to version 3.26.0 or later, where this authorization bypass vulnerability is fixed. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated but the fix is included in version 3.26.0, so upgrading to this version or newer is the recommended mitigation.
CVE-2026-47732: CWE-863: Incorrect Authorization in twigphp Twig
Description
Twig, a PHP template language, has an authorization vulnerability prior to version 3.26.0. Several Twig language constructs allow sandboxed template authors to invoke the __toString() method on objects without proper authorization checks. This occurs due to PHP string coercion on Stringable operands bypassing SecurityPolicy::checkMethodAllowed(). The issue is fixed in Twig version 3.26.0.
CVSS v4.0
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47732 describes an incorrect authorization vulnerability (CWE-863) in twigphp Twig versions before 3.26.0. The vulnerability arises because multiple Twig language constructs trigger PHP string coercion on Stringable objects without consulting the SecurityPolicy::checkMethodAllowed() method. This allows sandboxed template authors to invoke the __toString() method on objects accessible in the render context through various expressions and tags, including conditional expressions, comparison operators, tests, template-loading tags, dynamic attribute names, spread arguments, the do tag, and the range operator. This bypass of authorization checks could lead to unintended method invocation. The vulnerability is resolved in Twig version 3.26.0.
Potential Impact
An attacker with the ability to author sandboxed templates can invoke the __toString() method on objects reachable in the rendering context without proper authorization. This could lead to unauthorized code execution paths or information disclosure depending on the __toString() implementations. The CVSS 4.0 score is 7.1 (high), indicating a significant risk if exploited. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Twig to version 3.26.0 or later, where this authorization bypass vulnerability is fixed. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated but the fix is included in version 3.26.0, so upgrading to this version or newer is the recommended mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T22:16:39.503Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a56aea268715ace4342b115
Added to database: 07/14/2026, 21:48:18 UTC
Last enriched: 07/14/2026, 22:19:17 UTC
Last updated: 07/14/2026, 22:27:27 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.