Executive Summary

CVE-2026-47349 is a security vulnerability in the TYPO3 CMS Recycler module where backend users with access to the Recycler could restore soft-deleted records on pages or tables they were not authorized to modify.

The root cause was insufficient permission checks during the undelete (restore) operation. While TYPO3 validated permissions for deleting records, it did not properly verify permissions when restoring them.

This allowed users to potentially restore records they should not have access to, leading to unauthorized modifications.

The fix involved adding explicit permission checks to ensure users have write permissions for the table and insert permissions on the target page before allowing undelete operations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing backend users with Recycler access to restore soft-deleted records on pages or tables they are not authorized to modify.

Such unauthorized restoration can lead to unintended or malicious modifications of content or data within your TYPO3 CMS installation.

This could compromise data integrity and potentially expose sensitive information or disrupt normal operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves insufficient permission checks when restoring soft-deleted records in the TYPO3 CMS Recycler module. Detection would involve verifying if backend users can restore records on pages or tables they are not authorized to modify.

Since the issue is related to permission checks in the DataHandler component's undeleteRecord method, detection can be done by reviewing user permissions and attempting to undelete records with a user account that should not have such permissions.

There are no specific network or system commands provided in the resources to detect this vulnerability automatically.

A practical approach is to test undelete operations in the TYPO3 backend with accounts having limited permissions to see if unauthorized restoration is possible.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update TYPO3 CMS to a fixed version that addresses this vulnerability.

• Upgrade to TYPO3 CMS version 10.4.57 ELTS or later if using the 10.x branch.
• Upgrade to TYPO3 CMS version 11.5.51 ELTS or later if using the 11.x branch.
• Upgrade to TYPO3 CMS version 12.4.46 ELTS or later if using the 12.x branch.
• Upgrade to TYPO3 CMS version 13.4.31 LTS or later if using the 13.x branch.
• Upgrade to TYPO3 CMS version 14.3.3 LTS or later if using the 14.x branch.

Additionally, follow the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for ongoing security updates.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows backend users to restore soft-deleted records on pages or tables they are not authorized to modify, which constitutes a broken access control issue.

Such unauthorized restoration of records could lead to unauthorized data modifications and potential exposure of sensitive information, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and data integrity.

By allowing users to bypass permission checks during record restoration, the vulnerability undermines the enforcement of access policies critical for regulatory compliance.

Useful 0 Not Useful 0