Description
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Published: 2026-06-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A backend user with file download permissions could download arbitrary files from the fallback storage of the file abstraction layer, which resolves paths relative to the server’s document root, allowing access to sensitive files such as logs. The flaw constitutes a broken access control and a path traversal vulnerability, exposing confidential information.

Affected Systems

TYPO3 CMS has been impacted across four major branches. The vulnerable releases span from 11.0.0 to 11.5.50, 12.0.0 to 12.4.45, 13.0.0 to 13.4.30, and 14.0.0 to 14.3.2, all versions of the TYPO3 CMS product.

Risk and Exploitability

With a CVSS score of 7.1, the vulnerability poses a moderate to high risk. Exploitation requires an authenticated backend user with file download rights, which is likely available to many administrators. Since EPSS is not available and the issue is not listed in CISA KEV, it has not yet been confirmed as widely exploited, but the medium chance of occurrence and the potential confidentiality impact warrant prompt action.

Generated by OpenCVE AI on June 9, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TYPO3 CMS to a version that includes the fix as outlined in the official TYPO3 Core Security Advisory (typo3-core-sa-2026-013).
  • Refine backend role permissions by restricting the file download capability to only listed directories or trusted storage containers, thereby limiting accidental exposure of sensitive files.
  • Reconfigure or disable the fallback storage path resolution in the Media Module so that file requests do not resolve relative paths against the document root, ensuring that only explicit, allowed paths are served.

Generated by OpenCVE AI on June 9, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
Title TYPO3 CMS - Broken Access Control in Media Module
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-200
CWE-22
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-09T13:28:09.757Z

Reserved: 2026-06-01T10:52:50.597Z

Link: CVE-2026-49742

cve-icon Vulnrichment

Updated: 2026-06-09T13:28:01.590Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T11:16:53.650

Modified: 2026-06-09T13:46:50.540

Link: CVE-2026-49742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T12:45:04Z

Weaknesses