TYPO3 CMS - Broken Access Control in File Abstraction Layer
Summary
| CVE | CVE-2026-49738 |
|---|---|
| State | PUBLISHED |
| Assigner | TYPO3 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-09 11:16:53 UTC |
| Updated | 2026-06-09 13:46:50 UTC |
| Description | The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. |
Risk And Classification
Primary CVSS: v4.0 2.1 LOW from f4fb688c-4412-4426-b4b8-421ecf27b14a
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-22 | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | f4fb688c-4412-4426-b4b8-421ecf27b14a | Secondary | 2.1 | LOW | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 2.1 | LOW | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
HighUser Interaction
NoneConfidentiality
LowIntegrity
LowAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | TYPO3 | TYPO3 CMS | affected 10.4.57 semver | Not specified |
| CNA | TYPO3 | TYPO3 CMS | affected 11.0.0 11.5.51 semver | Not specified |
| CNA | TYPO3 | TYPO3 CMS | affected 12.0.0 12.4.46 semver | Not specified |
| CNA | TYPO3 | TYPO3 CMS | affected 13.0.0 13.4.31 semver | Not specified |
| CNA | TYPO3 | TYPO3 CMS | affected 14.0.0 14.3.3 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d | f4fb688c-4412-4426-b4b8-421ecf27b14a | github.com | |
| typo3.org/security/advisory/typo3-core-sa-2026-016 | f4fb688c-4412-4426-b4b8-421ecf27b14a | typo3.org | |
| github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5 | f4fb688c-4412-4426-b4b8-421ecf27b14a | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Wolfgang Klinger (en)
CNA: Oliver Hader (en)
There are currently no legacy QID mappings associated with this CVE.