CVE-2026-47350
Received Received - Intake
Unauthorized Page Movement in TYPO3 CMS

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: TYPO3

Description
Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-47350
EUVD
EUVD-2026-35397
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
typo3 cms From 13.0.0 (inc) to 13.4.31 (inc)
typo3 cms From 14.0.0 (inc) to 14.3.3 (inc)
typo3 typo3 From 13.0.0 (inc) to 13.4.31 (inc)
typo3 typo3 From 14.0.0 (inc) to 14.3.3 (inc)
typo3 typo3 From 13.0.0 (inc) to 13.4.31 (exc)
typo3 typo3 From 14.0.0 (inc) to 14.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-47350 vulnerability is a broken access control issue in the TYPO3 CMS DataHandler component.

Specifically, backend users were able to move records to a different page without having the necessary edit permissions on the source page.

This happened because during a refactoring of the moveRecord() function, an access check was accidentally omitted.

The missing permission check allowed unauthorized movement of records within the system.

The issue was fixed by re-adding the missing permission check to ensure users can only move records if they have edit rights on the source page.

Impact Analysis

This vulnerability allows backend users to move records without proper edit permissions on the source page.

As a result, unauthorized users could manipulate the organization and placement of records within the TYPO3 CMS.

This could lead to data integrity issues, confusion in content management, and potential unauthorized data exposure or modification.

It undermines the intended access control policies, potentially allowing users to bypass restrictions set by administrators.

Mitigation Strategies

To mitigate the CVE-2026-47350 vulnerability, you should update your TYPO3 CMS installation to a fixed version where the missing access check has been restored.

  • Upgrade TYPO3 CMS to version 13.4.31 LTS or later if you are using the 13.x branch.
  • Upgrade TYPO3 CMS to version 14.3.3 LTS or later if you are using the 14.x branch.

These updates restore the missing permission check in the DataHandler component's moveRecord() function, preventing unauthorized record movement.

Additionally, follow the recommendations in the TYPO3 Security Guide to ensure your system is properly secured.

Compliance Impact

The vulnerability allows backend users to move records without having edit permissions on the source page, which constitutes broken access control.

Such unauthorized access and modification of records could potentially lead to improper handling of sensitive or regulated data, thereby impacting compliance with standards like GDPR or HIPAA that require strict access controls and data integrity.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart