CVE-2026-6553
Cleartext Password Storage in TYPO3 CMS 14.2.0 User Settings
Publication date: 2026-04-21
Last updated on: 2026-05-05
Assigner: TYPO3
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typo3 | typo3 | 14.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6553 is a sensitive data exposure vulnerability in TYPO3 CMS version 14.2.0 affecting the backend user settings module. When backend users change their passwords via this module, the passwords are mistakenly stored in cleartext within the `uc` and `user_settings` fields of the `be_users` database table. This happens because the system improperly mixes sensitive entity data like passwords with user-interface settings such as themes and display options when saving changes.
The root cause is that the backend form controller merged virtual user settings fields with regular database fields into a single submission array, making it impossible to distinguish between them. As a result, password fields were serialized and stored in user settings data where they should not be, exposing sensitive password information.
The issue was fixed by separating the handling of user data into two partitions: one for database fields and one for user settings, ensuring passwords are only stored in the database fields and excluded from serialized user settings. An upgrade wizard was also introduced to detect and clean existing stored passwords from the user settings fields.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of backend user passwords in cleartext within the TYPO3 database. If an attacker gains access to the database or backups, they could retrieve these passwords easily, compromising backend user accounts.
Such exposure increases the risk of unauthorized access to the TYPO3 backend, potentially allowing attackers to manipulate website content, access sensitive information, or escalate privileges.
Additionally, because passwords are stored in cleartext, it undermines the security best practices and increases the potential damage from data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning the `be_users` database table for cleartext passwords stored in the `uc` and `user_settings` fields. Specifically, you can look for serialized data containing the string "password" or ":"password" within these fields.
TYPO3 provides an upgrade wizard called the User Settings Scrubbing wizard that scans for and removes stored passwords from these serialized user settings fields.
While no specific commands are provided in the resources, a typical approach would be to query the database directly, for example using SQL commands like:
- SELECT uid, uc, user_settings FROM be_users WHERE uc LIKE '%password%' OR user_settings LIKE '%password%';
This query helps identify backend users whose settings fields contain cleartext password data.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are:
- Upgrade TYPO3 CMS to version 14.3.0 LTS or later, which contains the fix for this vulnerability.
- Manually run all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, to sanitize the `uc` and `user_settings` fields in the `be_users` database table.
- Reset passwords for all affected backend user accounts to ensure that any previously exposed cleartext passwords are no longer valid.
Following these steps will remove existing cleartext passwords from the database and prevent future exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability results in backend user passwords being stored in cleartext within the TYPO3 CMS database fields `uc` and `user_settings` of the `be_users` table. Storing passwords in cleartext is a serious security flaw that can lead to unauthorized access and data breaches.
Such exposure of sensitive authentication data can violate common data protection standards and regulations like GDPR and HIPAA, which require proper protection of personal and sensitive information, including encryption or hashing of passwords.
Therefore, this vulnerability negatively impacts compliance by increasing the risk of sensitive data exposure and failing to meet the security requirements mandated by these regulations.
To remediate and restore compliance, affected TYPO3 installations must upgrade to version 14.3.0 LTS, run the User Settings Scrubbing wizard to remove cleartext passwords from stored user settings, and reset all affected backend user passwords.