Description
Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Backend users can move records between pages without edit permissions, allowing unauthorized manipulation or exposure of content. This broken access control is a dedicated CWE-862 flaw that can compromise the integrity and confidentiality of site data for users who log into the administration interface.

Affected Systems

TYPO3 CMS versions 13.0.0 through 13.4.31 and 14.0.0 through 14.3.3 are affected.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The exploit most likely occurs via the web-based backend interface by users who have valid credentials. Since no additional privileges or conditions are noted, the attack vector is presumed to be local or remote access with backend login.

Generated by OpenCVE AI on June 9, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TYPO3 to a version later than 13.4.31 or 14.3.3 to apply the vendor’s official fix.
  • Restrict backend user permissions so that only authorized roles have edit rights to source pages, thereby enforcing proper access control.
  • Enable change‑audit logging for record movements to detect and respond to unauthorized actions.

Generated by OpenCVE AI on June 9, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.
Title TYPO3 CMS - Broken Access Control in DataHandler
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-862
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:50:29.584Z

Reserved: 2026-05-19T12:49:25.966Z

Link: CVE-2026-47350

cve-icon Vulnrichment

Updated: 2026-06-09T13:50:25.316Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:52.860

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-47350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses