CVE-2026-46627: Twig Sandbox Resource Exhaustion

Q: What is CVE-2026-46627?

CVE-2026-46627 is an uncontrolled-resource-consumption issue (CWE-400) in the Twig templating engine's sandbox. The sandbox prevents untrusted templates from reaching code, data, methods, or properties they shouldn't, but it does not restrict how much CPU, memory, or execution time a template can consume. Large ranges, nested loops, string operations, recursive macros, and expensive filters can be used to exhaust resources and cause denial of service.

Q: How do I fix CVE-2026-46627?

Twig 3.26.0 documents this as a design limitation rather than a template-level bug. The fix is process-level containment: set PHP memory_limit and max_execution_time, render untrusted templates in isolated worker processes, and apply OS-level resource limits (cgroups, ulimits). Do not rely on the sandbox alone to bound resource use.

Summary

CVE-2026-46627 is a moderate-severity uncontrolled resource consumption (CWE-400) issue in the Twig templating engine's sandbox. The sandbox is designed to prevent untrusted templates from reaching code, data, methods, or properties they shouldn't — but it does not restrict how much CPU, memory, or execution time a template may consume.

An untrusted template can exhaust host resources even with the sandbox active and strict allow-lists in place, leading to denial-of-service conditions through:

Large ranges and deeply nested loops
Heavy string operations
Recursive macros
Expensive filters applied at scale

Impact

Denial of service. The sandbox bounds what a template can touch, not how much work it can demand. An attacker who can supply template source — for example, a product that lets users author Twig snippets — can render the host unresponsive without ever escaping the sandbox.

Resolution

Twig 3.26.0 documents this as an intentional design limitation rather than a fixable template-level bug. The protection is process-level containment, not sandbox configuration:

Set PHP memory_limit and max_execution_time
Render untrusted templates in isolated worker processes
Apply OS-level resource limits (cgroups, ulimit)

The takeaway for reviewers: a sandbox is an access-control boundary, not a resource-control boundary. If your threat model includes untrusted template authors, resource limits must live in the runtime around Twig, not inside it.

References

Vendor Advisory (GHSA)↗MITRE↗NVD↗

Disclosure

Reported by Kai Aizen (SnailSploit). Status: Published. Coordinated with the Twig maintainers; resolved in 3.26.0 with documented process-level mitigations.

Frequently asked

CVE-2026-46627 — questions & answers

What is CVE-2026-46627?

An uncontrolled-resource-consumption issue (CWE-400) in the Twig templating engine's sandbox. The sandbox prevents untrusted templates from reaching code, data, methods, or properties they shouldn't — but it does not restrict how much CPU, memory, or execution time a template can consume. Large ranges, nested loops, string operations, recursive macros, and expensive filters can exhaust resources.

Am I affected by CVE-2026-46627?

You are affected if your application renders untrusted, user-supplied Twig templates and relies on the sandbox as the only protection. Affected versions are twig/twig before 3.26.0. If templates are authored only by trusted developers, the practical risk is low.

How do I fix CVE-2026-46627?

Twig 3.26.0 documents this as a design limitation. The fix is process-level containment: set PHP memory_limit and max_execution_time, render untrusted templates in isolated worker processes, and apply OS-level resource limits (cgroups, ulimits). Do not rely on the sandbox alone to bound resource use.

What is the impact of CVE-2026-46627?

Denial of service. An untrusted template can exhaust CPU, memory, or execution time on the rendering host despite an active sandbox with strict allow-lists. Severity is Moderate.

Where can I find authoritative references?

The Twig GitHub Security Advisory GHSA-923g-j88x-j34q, the MITRE CVE record for CVE-2026-46627, and the NVD detail page once published.