Description
Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TYPO3 CMS allows authenticated backend users to call several Backend API routes and retrieve file metadata without performing the necessary permission checks. Because the API does not enforce the file mount or storage restrictions that are normally applied to backend users, an attacker who can log in as a backend user gains visibility into files that are outside the scope of that user’s authorised mounts. This flaw can lead to the leaking of potentially sensitive file names, paths, and other metadata that may assist in further reconnaissance or privilege escalation. The weakness is categorized as an access control failure (CWE‑862).

Affected Systems

The vulnerability affects TYPO3 CMS for all major release lines that are older than the following versions: 10.4.57, 11.5.51, 12.4.46, 13.4.31, and 14.3.3. Backends running any of the listed minor releases prior to these dates are exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity for this issue. Because the EPSS score is not available, the likelihood of exploitation cannot be quantified from the available data, and the vulnerability is not listed in CISA’s KEV catalog. An attacker must have legitimate backend credentials to trigger the flaw, which suggests an internal or compromised account is required. If an attacker can obtain such credentials, the flaw enables information disclosure that can contribute to broader attacks on the system.

Generated by OpenCVE AI on June 9, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TYPO3 CMS to a version that is not vulnerable: release 10.4.57 or later, 11.5.51 or later, 12.4.46 or later, 13.4.31 or later, or 14.3.3 or later.
  • Configure backend user roles to restrict API permissions and ensure that only trusted users are granted access to backend APIs that can expose file metadata.
  • Monitor backend API usage logs for anomalies and revoke access for users or services that do not require this capability.

Generated by OpenCVE AI on June 9, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Title TYPO3 CMS - Broken Access Control in Backend API
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-862
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:47:21.337Z

Reserved: 2026-05-19T12:49:25.966Z

Link: CVE-2026-47352

cve-icon Vulnrichment

Updated: 2026-06-09T13:47:05.853Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:53.120

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-47352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses