Description
Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in TYPO3 CMS allows backend users who can access the Recycler module to restore items that they are not permitted to modify. The vulnerability provides a form of privilege escalation by enabling users to bypass deletion safeguards, potentially restoring sensitive data or altering content without proper authorization. This directly compromises data integrity and privacy for the affected sites.

Affected Systems

Typo3 CMS versions earlier than 10.4.57, 11.0.0‑11.5.51, 12.0.0‑12.4.46, 13.0.0‑13.4.31, or 14.0.0‑14.3.3 are impacted. The vulnerability arises from the Recycler module in these releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Because the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, widespread exploitation is not documented. An attacker must first have backend access to the CMS and the ability to use the Recycler module; thus the attack surface is limited to authenticated users. Once accessed, they can craft a request to restore soft‑deleted records, effectively elevating their privileges to modify content they should not control.

Generated by OpenCVE AI on June 9, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TYPO3 CMS to a version that includes the official fix: 10.4.57 or later, 11.5.51 or later, 12.4.46 or later, 13.4.31 or later, or 14.3.3 or later.
  • Restrict access to the Recycler module by ensuring only authorized staff can use it, and verify that permission settings match role‑based requirements.
  • Temporarily disable the restore functionality for non‑admin users in the CMS configuration until a patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Title TYPO3 CMS - Broken Access Control in Recycler
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-862
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:51:28.134Z

Reserved: 2026-05-19T12:49:25.966Z

Link: CVE-2026-47349

cve-icon Vulnrichment

Updated: 2026-06-09T13:51:19.046Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:52.720

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-47349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses