Description
The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.
Published: 2026-03-17
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Broken Access Control
Action: Apply Patch
AI Analysis

Impact

The 'Redirect Tabs' extension for TYPO3 fails to verify whether an authenticated user has permission to access redirect records. As a result, when editing a page, the user can view redirect records that they should not be able to see. This constitutes an information disclosure vulnerability, limited to users who can authenticate to the TYPO3 backend and who have access to edit pages. The primary impact is confidentiality loss: sensitive redirect data may be exposed to unauthorized internal users.

Affected Systems

The vulnerability affects TYPO3 installations that have the 'Redirect Tabs' extension enabled. No specific version numbers are listed in the advisory, so any deployment with the extension present and not patched may be susceptible.

Risk and Exploitability

The CVSS score is 2.3, indicating a low severity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting it is not widely exploited. The likely attack vector is local; an attacker must first authenticate to the TYPO3 backend to edit a page and then trigger the exposure. This requires possessing valid credentials and edit access, which limits the exploitation to insiders or compromised accounts.

Generated by OpenCVE AI on March 17, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor advisory at https://typo3.org/security/advisory/typo3-ext-sa-2026-006 for an available patch or upgrade to a version that fixes the access control issue.
  • If no patch is available, disable the 'Redirect Tabs' extension in the TYPO3 backend to prevent unauthorized exposure of redirect records.
  • Review backend user permissions to ensure only authorized users can edit pages and view redirect data, and consider tightening role-based access controls.

Generated by OpenCVE AI on March 17, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-755r-r738-mjgp Broken Access Control in extension "Redirect Tab" (redirect_tab)
History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "redirect Tabs"
Vendors & Products Typo3
Typo3 extension "redirect Tabs"

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.
Title Broken Access Control in extension "Redirect Tab"
Weaknesses CWE-200
CWE-862
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Extension "redirect Tabs"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-03-17T13:17:40.134Z

Reserved: 2026-03-15T10:57:58.870Z

Link: CVE-2026-4202

cve-icon Vulnrichment

Updated: 2026-03-17T13:17:36.102Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T09:16:14.627

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-4202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:29Z

Weaknesses