Description
The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Published: 2026-06-09
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The path allowance check in GeneralUtility::isAllowedAbsPath() used a plain string prefix comparison, missing a directory separator boundary. This allowed a path such as /var/www/html‑other/secret.yaml to be treated as within the project root when the root was /var/www/html. Administrators who could use the File Abstraction Layer could therefore create file storage definitions that pointed to directories outside the intended project scope, bypassing the path validation. The consequence is that privileged users could read or modify files outside the web‑root, potentially exposing sensitive configuration data or compromising the integrity of the application.

Affected Systems

TYPO3 CMS, versions before 10.4.57, 11.0.0–11.5.51, 12.0.0–12.4.46, 13.0.0–13.4.31, and 14.0.0–14.3.3 are vulnerable.

Risk and Exploitability

The CVSS score of 2.1 indicates a low severity from a technical perspective. Because the vulnerability is only exploitable by users who already have administrative access to the File Abstraction Layer, the risk is limited to environments where an attacker can compromise an administrator account. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not been observed. Nevertheless, the bug allows an attacker with the required privileges to access or alter files outside the designated project root.

Generated by OpenCVE AI on June 9, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TYPO3 CMS to a fixed version (at least 10.4.57, 11.5.51, 12.4.46, 13.4.31, or 14.3.3).
  • If a direct upgrade is not immediately possible, restrict access to the File Abstraction Layer to only trusted administrators and review existing storage definitions for paths outside the project root.
  • Remove or correct any storage definitions that point to directories outside the intended project root to prevent unintended file access.

Generated by OpenCVE AI on June 9, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Title TYPO3 CMS - Broken Access Control in File Abstraction Layer
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-22
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:43:12.573Z

Reserved: 2026-06-01T10:52:50.597Z

Link: CVE-2026-49738

cve-icon Vulnrichment

Updated: 2026-06-09T13:43:06.922Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:53.247

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-49738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T12:30:04Z

Weaknesses