CVE-2026-49741
Deferred Deferred - Pending Action

Form Definition Bypass in TYPO3 CMS

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: TYPO3

Description
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-29
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-49741
EUVD
EUVD-2026-35402

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
typo3 typo3_cms From 14.0.0 (inc) to 14.3.3 (inc)
typo3 typo3_cms to 14.3.2 (exc)
typo3 typo3_cms From 8.5.0 (inc) to 8.7.16 (inc)
typo3 typo3_cms From 9.0.0 (inc) to 9.3.0 (inc)
typo3 typo3_cms 8.7.17
typo3 typo3_cms 9.3.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects TYPO3 CMS versions 14.0.0 to 14.3.3 and involves backend users who have write access to the form_definition database table. These users could bypass the Form Framework's persistence validation and permission checks by using DataHandler to directly create, update, or delete form definition records. This bypass allowed them to inject arbitrary form configurations, which reintroduced attack vectors such as SQL injection and privilege escalation that were previously addressed in an earlier TYPO3 security advisory.

Impact Analysis

The vulnerability can lead to serious security impacts including privilege escalation and SQL injection attacks. An attacker with backend write access could manipulate form definitions to execute unauthorized database queries or escalate their privileges within the TYPO3 CMS environment. This could compromise the integrity and confidentiality of the system, potentially allowing unauthorized access to sensitive data or control over the CMS.

Detection Guidance

Detection of this vulnerability involves checking for unauthorized or suspicious modifications to the form_definition database table by backend users with write access. Since the vulnerability allows bypassing validation and permission checks via DataHandler, monitoring database changes and DataHandler operations related to form definitions is crucial.

Specifically, you can audit logs for DataHandler operations that create, update, or delete records in the form_definition table without proper validation tokens (HMAC-SHA3-384). Look for error logs generated by the FormDefinitionDataHandlerHook that nullifies unauthorized operations.

Suggested commands include:

  • Query the form_definition table for recent changes: `SELECT * FROM form_definition WHERE tstamp > NOW() - INTERVAL '1 DAY';`
  • Check TYPO3 system logs for DataHandler errors related to form_definition modifications.
  • If you have shell access, use grep to find suspicious DataHandler invocations or error messages in log files, e.g., `grep -i 'form_definition' /path/to/typo3/logs/*`

Additionally, verify the TYPO3 version to ensure it is updated to 14.3.3 or later, as earlier versions are vulnerable.

Mitigation Strategies

The primary immediate mitigation step is to update TYPO3 CMS to version 14.3.3 LTS or later, where this vulnerability is fixed.

This update includes the implementation of the FormDefinitionPersistenceGuard service, which enforces strict validation and permission checks on create, update, and delete operations on the form_definition table, preventing unauthorized DataHandler operations.

Additionally, review backend user permissions to ensure that only trusted users have write access to the form_definition table.

Follow the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for ongoing updates and security advisories.

Compliance Impact

The vulnerability allows backend users with write access to bypass validation and permission checks, enabling injection of arbitrary form configurations that could lead to SQL injection and privilege escalation.

Such unauthorized access and manipulation of form data could potentially lead to unauthorized access to sensitive information or alteration of data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and data integrity.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart