CVE-2026-6553
Analyzed Analyzed - Analysis Complete
Cleartext Password Storage in TYPO3 CMS 14.2.0 User Settings

Publication date: 2026-04-21

Last updated on: 2026-05-05

Assigner: TYPO3

Description
Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6553
EUVD
EUVD-2026-24081
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
typo3 typo3 14.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6553 is a sensitive data exposure vulnerability in TYPO3 CMS version 14.2.0 affecting the backend user settings module. When backend users change their passwords via this module, the passwords are mistakenly stored in cleartext within the `uc` and `user_settings` fields of the `be_users` database table. This happens because the system improperly mixes sensitive entity data like passwords with user-interface settings such as themes and display options when saving changes.

The root cause is that the backend form controller merged virtual user settings fields with regular database fields into a single submission array, making it impossible to distinguish between them. As a result, password fields were serialized and stored in user settings data where they should not be, exposing sensitive password information.

The issue was fixed by separating the handling of user data into two partitions: one for database fields and one for user settings, ensuring passwords are only stored in the database fields and excluded from serialized user settings. An upgrade wizard was also introduced to detect and clean existing stored passwords from the user settings fields.

Impact Analysis

This vulnerability can lead to the exposure of backend user passwords in cleartext within the TYPO3 database. If an attacker gains access to the database or backups, they could retrieve these passwords easily, compromising backend user accounts.

Such exposure increases the risk of unauthorized access to the TYPO3 backend, potentially allowing attackers to manipulate website content, access sensitive information, or escalate privileges.

Additionally, because passwords are stored in cleartext, it undermines the security best practices and increases the potential damage from data breaches.

Detection Guidance

This vulnerability can be detected by scanning the `be_users` database table for cleartext passwords stored in the `uc` and `user_settings` fields. Specifically, you can look for serialized data containing the string "password" or ":"password" within these fields.

TYPO3 provides an upgrade wizard called the User Settings Scrubbing wizard that scans for and removes stored passwords from these serialized user settings fields.

While no specific commands are provided in the resources, a typical approach would be to query the database directly, for example using SQL commands like:

  • SELECT uid, uc, user_settings FROM be_users WHERE uc LIKE '%password%' OR user_settings LIKE '%password%';

This query helps identify backend users whose settings fields contain cleartext password data.

Mitigation Strategies

The immediate mitigation steps are:

  • Upgrade TYPO3 CMS to version 14.3.0 LTS or later, which contains the fix for this vulnerability.
  • Manually run all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, to sanitize the `uc` and `user_settings` fields in the `be_users` database table.
  • Reset passwords for all affected backend user accounts to ensure that any previously exposed cleartext passwords are no longer valid.

Following these steps will remove existing cleartext passwords from the database and prevent future exposure.

Compliance Impact

This vulnerability results in backend user passwords being stored in cleartext within the TYPO3 CMS database fields `uc` and `user_settings` of the `be_users` table. Storing passwords in cleartext is a serious security flaw that can lead to unauthorized access and data breaches.

Such exposure of sensitive authentication data can violate common data protection standards and regulations like GDPR and HIPAA, which require proper protection of personal and sensitive information, including encryption or hashing of passwords.

Therefore, this vulnerability negatively impacts compliance by increasing the risk of sensitive data exposure and failing to meet the security requirements mandated by these regulations.

To remediate and restore compliance, affected TYPO3 installations must upgrade to version 14.3.0 LTS, run the User Settings Scrubbing wizard to remove cleartext passwords from stored user settings, and reset all affected backend user passwords.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6553. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart