Executive Summary

This vulnerability, identified as CVE-2026-47352, is a Broken Access Control issue in the TYPO3 CMS backend API. Authenticated backend users were able to retrieve file metadata through several API routes without proper permission checks. This allowed them to access files outside their permitted file mounts or storages, which they should not have been able to see.

The root cause was the lack of explicit read permission checks before displaying file or folder metadata. The vulnerability was fixed by adding these permission checks and proper exception handling to ensure users only access resources they are authorized to read.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated backend users to access file metadata without proper permission checks, potentially exposing files outside their permitted storage areas.

Such unauthorized access to file metadata could lead to exposure of sensitive or personal data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls and protection of personal information.

By allowing access beyond intended permissions, this vulnerability could increase the risk of data breaches or unauthorized data disclosure, thereby affecting an organization's ability to meet regulatory requirements for data confidentiality and integrity.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing authenticated backend users to access file metadata and potentially files that they are not authorized to view. This unauthorized access could lead to exposure of sensitive or confidential information stored in files outside their permitted areas.

Such unauthorized access undermines the security model of the TYPO3 CMS, potentially leading to data leaks or misuse of information that should be restricted.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper permission checks in TYPO3 backend API routes that allow authenticated backend users to retrieve file metadata without proper authorization.

Detection can focus on monitoring API requests to backend routes that expose file metadata, especially those made by authenticated users.

Since the issue is related to permission checks, one approach is to check for unexpected 200 OK responses when accessing file metadata endpoints with users who should not have access.

Specific commands are not provided in the resources, but general detection steps could include:

• Review web server or application logs for API calls to file metadata endpoints from authenticated users.
• Use tools like curl or HTTP clients to simulate authenticated backend user requests to file metadata API routes and observe if unauthorized access is granted.
• Example curl command to test access (replace URL and authentication token accordingly):
• curl -H "Authorization: Bearer <token>" https://your-typo3-instance/api/filemetadata/<file-id>
• Check if the response returns file metadata (indicating a potential vulnerability) or a 403 Forbidden error (indicating proper permission enforcement).

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update TYPO3 CMS to a patched version where the vulnerability is fixed.

• Upgrade to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS or later.

The fix involves adding explicit permission checks in backend API routes to ensure users can only access file metadata they are authorized to view.

Until the update can be applied, consider restricting backend user permissions to minimize exposure and monitor access to file metadata API endpoints.

Consult the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for further security guidance and updates.

Useful 0 Not Useful 0