CVE-2026-4202
Received Received - Intake
Authorization Bypass in Extension Exposes Redirect Records

Publication date: 2026-03-17

Last updated on: 2026-04-25

Assigner: TYPO3

Description
The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4202
EUVD
EUVD-2026-12552
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ayacoo redirect_tab to 2.1.2 (exc)
ayacoo redirect_tab From 3.0.0 (inc) to 3.1.7 (exc)
ayacoo redirect_tab From 4.0.0 (inc) to 4.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The vulnerability exists in the TYPO3 extension "Redirect Tab" (redirect_tab), where the extension fails to verify if an authenticated user has the necessary permissions to access redirect records when editing a page.'}, {'type': 'paragraph', 'content': 'This means that users who are logged in but should not have access to certain redirect records can still view them, leading to unauthorized exposure of sensitive redirect information.'}, {'type': 'paragraph', 'content': 'The issue is classified as a Broken Access Control vulnerability, linked to missing authorization (CWE-862) and information exposure (CWE-200).'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized users viewing redirect records that they should not have access to.

While the severity is considered low, the exposure of redirect records could potentially reveal sensitive information about website structure or user navigation paths.

This could be exploited by attackers or unauthorized users to gather information that might assist in further attacks or reconnaissance.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to redirect records in the TYPO3 extension "Redirect Tab" due to missing permission checks. Detection would involve verifying if users without proper permissions can access or edit redirect records.'}, {'type': 'paragraph', 'content': 'Since the issue is specific to the TYPO3 extension and its permission handling, detection on the system would require checking the version of the redirect_tab extension installed and testing access controls within the TYPO3 backend.'}, {'type': 'paragraph', 'content': 'No specific network or system commands are provided in the available resources to detect this vulnerability.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the TYPO3 extension "Redirect Tab" to a fixed version.'}, {'type': 'list_item', 'content': 'Upgrade to version 4.0.5 or later if using the 4.x series.'}, {'type': 'list_item', 'content': 'Upgrade to version 3.1.7 or later if using the 3.x series.'}, {'type': 'list_item', 'content': 'Upgrade to version 2.1.2 or later if using the 2.x series.'}, {'type': 'paragraph', 'content': 'These updates are available via the TYPO3 extension manager, Packagist, and the TYPO3 extensions repository.'}, {'type': 'paragraph', 'content': 'Additionally, users are recommended to follow the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for further security updates.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart