Description
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
Published: 2026-04-21
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Cleartext password storage
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises in the backend user settings module of TYPO3 CMS, where changing a user password results in the cleartext password being written to the uc and user_settings columns of the be_users database table. This insecure storage of sensitive data (CWE-312) means that any party with database access can read stored passwords, potentially compromising user accounts and enabling further unauthorized actions. The CVSS score of 7.3 reflects a moderate-to-high risk of credential compromise in environments that rely on CMS backend authentication.

Affected Systems

TYPO3 CMS version 14.2.0 is affected. No other versions were listed as impacted, so only installations of the 14.2.0 release are known to be vulnerable.

Risk and Exploitability

The EPSS score indicates a probability of exploitation of less than 1%. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely known active exploitation. Because the issue is triggered by altering passwords through the backend user interface, a likely attack vector involves an insider or an attacker who has already gained database access; there is no direct external network exploitation mentioned, so the risk is largely limited to systems with insufficient isolation of the CMS backend and database.

Generated by OpenCVE AI on April 21, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of TYPO3 CMS where the cleartext password storage issue is resolved.
  • Restrict backend user permissions so that only trusted administrators can change passwords via the user settings module.
  • Review and cleanse the be_users table for any existing cleartext passwords and enforce hashing or deletion of those entries.

Generated by OpenCVE AI on April 21, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
Title TYPO3 CMS Stores Cleartext Password in User Settings Module
First Time appeared Typo3
Typo3 typo3
Weaknesses CWE-312
CPEs cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 typo3
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Typo3 Typo3
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-04-21T13:20:23.515Z

Reserved: 2026-04-17T21:40:53.165Z

Link: CVE-2026-6553

cve-icon Vulnrichment

Updated: 2026-04-21T13:20:18.344Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T10:16:31.220

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-6553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:37Z

Weaknesses