diff --git a/docs/guides/ui-customization/themes.adoc b/docs/guides/ui-customization/themes.adoc
index 61af05869ff..267d725120e 100644
--- a/docs/guides/ui-customization/themes.adoc
+++ b/docs/guides/ui-customization/themes.adoc
@@ -377,6 +377,9 @@ Themes can be deployed to {project_name} by copying the theme directory to `them
 theme to the `themes` directory, but in production you may want to consider using an `archive`. An `archive` makes it simpler to have a versioned copy of
 the theme, especially when you have multiple instances of {project_name} for example with clustering.
 
+WARNING: Themes contain FreeMarker templates that the server renders at runtime, so a malicious template can run code as the {project_name} process. Install themes only from trusted sources, and restrict write access to the `themes` directory and to theme JARs under `providers/` to trusted operators.
+
+
 .Procedure
 
 . To deploy a theme as an archive, create a JAR archive with the theme resources.
diff --git a/services/src/main/java/org/keycloak/theme/freemarker/DefaultFreeMarkerProvider.java b/services/src/main/java/org/keycloak/theme/freemarker/DefaultFreeMarkerProvider.java
index 31ea9c0b0f2..9a484d82cd4 100644
--- a/services/src/main/java/org/keycloak/theme/freemarker/DefaultFreeMarkerProvider.java
+++ b/services/src/main/java/org/keycloak/theme/freemarker/DefaultFreeMarkerProvider.java
@@ -13,6 +13,7 @@ import org.keycloak.theme.Theme;
 
 import freemarker.cache.URLTemplateLoader;
 import freemarker.core.HTMLOutputFormat;
+import freemarker.core.TemplateClassResolver;
 import freemarker.template.Configuration;
 import freemarker.template.Template;
 
@@ -63,6 +64,7 @@ public class DefaultFreeMarkerProvider implements FreeMarkerProvider {
             cfg.setOutputFormat(HTMLOutputFormat.INSTANCE);
         }
 
+        cfg.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER);
         cfg.setTemplateLoader(new ThemeTemplateLoader(theme));
         return cfg.getTemplate(templateName, "UTF-8");
     }