Executive Summary

This vulnerability is a path prefix confusion issue in the TYPO3 CMS function GeneralUtility::isAllowedAbsPath(). The function performed a simple string prefix check to validate file paths against the project root directory but did not verify directory separator boundaries. As a result, paths like "/var/www/html-other/secret.yaml" were incorrectly accepted as valid when the project root was "/var/www/html". This allowed administrator users with access to the File Abstraction Layer to create new file storage definitions pointing to directories outside the project root, bypassing the intended path restrictions.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows administrator users to bypass path restrictions and create file storage definitions that point to directories outside the intended project root. This can lead to unauthorized access to files and directories that should be protected, potentially exposing sensitive information or allowing unintended file operations outside the scope of the TYPO3 CMS project directory.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-49738 vulnerability, users should update TYPO3 CMS to the patched versions: 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS.

This vulnerability allows administrator users with access to the File Abstraction Layer to bypass path restrictions by creating file storage definitions pointing outside the project root. Applying the update ensures the path allowance check properly enforces directory boundary validation.

Additionally, users are encouraged to follow the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for further security updates and recommendations.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows administrator users to bypass path restrictions and create file storage definitions pointing to directories outside the project root. This could lead to unauthorized access to sensitive files outside the intended scope.

Such unauthorized access to files may pose risks to data confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a path prefix confusion in the TYPO3 CMS GeneralUtility::isAllowedAbsPath() function, allowing administrator users to create file storage definitions pointing outside the project root. Detection involves verifying if any file storage definitions reference directories outside the intended project root due to improper path checks.

To detect this on your system, you should audit the file storage configurations in TYPO3 CMS to identify any paths that are outside the project root but accepted due to the flawed prefix check.

While no specific commands are provided in the resources, a practical approach would be to list and inspect file storage definitions in the TYPO3 backend or database, looking for paths that share a prefix with the project root but are actually outside it (e.g., paths like /var/www/html-other/...).

If you have shell access, you might use commands to find directories or files with similar prefixes outside the project root, for example:

• Find directories with similar prefixes: `find /var/www -type d -name 'html*'`
• Check TYPO3 database entries for file storage paths that do not start exactly with the project root path followed by a directory separator.

Ultimately, updating TYPO3 to a patched version is the recommended mitigation.

Useful 0 Not Useful 0