CVE-2026-49741
Received Received - Intake
Form Definition Bypass in TYPO3 CMS

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: TYPO3

Description
Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-49741
EUVD
EUVD-2026-35402
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
typo3 typo3_cms From 14.0.0 (inc) to 14.3.3 (inc)
typo3 typo3_cms to 14.3.2 (exc)
typo3 typo3_cms From 8.5.0 (inc) to 8.7.16 (inc)
typo3 typo3_cms From 9.0.0 (inc) to 9.3.0 (inc)
typo3 typo3_cms 8.7.17
typo3 typo3_cms 9.3.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects TYPO3 CMS versions 14.0.0 to 14.3.3 and involves backend users who have write access to the form_definition database table. These users could bypass the Form Framework's persistence validation and permission checks by using DataHandler to directly create, update, or delete form definition records. This bypass allowed them to inject arbitrary form configurations, which reintroduced attack vectors such as SQL injection and privilege escalation that were previously addressed in an earlier TYPO3 security advisory.

Impact Analysis

The vulnerability can lead to serious security impacts including privilege escalation and SQL injection attacks. An attacker with backend write access could manipulate form definitions to execute unauthorized database queries or escalate their privileges within the TYPO3 CMS environment. This could compromise the integrity and confidentiality of the system, potentially allowing unauthorized access to sensitive data or control over the CMS.

Detection Guidance

Detection of this vulnerability involves checking for unauthorized or suspicious modifications to the form_definition database table by backend users with write access. Since the vulnerability allows bypassing validation and permission checks via DataHandler, monitoring database changes and DataHandler operations related to form definitions is crucial.

Specifically, you can audit logs for DataHandler operations that create, update, or delete records in the form_definition table without proper validation tokens (HMAC-SHA3-384). Look for error logs generated by the FormDefinitionDataHandlerHook that nullifies unauthorized operations.

Suggested commands include:

  • Query the form_definition table for recent changes: `SELECT * FROM form_definition WHERE tstamp > NOW() - INTERVAL '1 DAY';`
  • Check TYPO3 system logs for DataHandler errors related to form_definition modifications.
  • If you have shell access, use grep to find suspicious DataHandler invocations or error messages in log files, e.g., `grep -i 'form_definition' /path/to/typo3/logs/*`

Additionally, verify the TYPO3 version to ensure it is updated to 14.3.3 or later, as earlier versions are vulnerable.

Mitigation Strategies

The primary immediate mitigation step is to update TYPO3 CMS to version 14.3.3 LTS or later, where this vulnerability is fixed.

This update includes the implementation of the FormDefinitionPersistenceGuard service, which enforces strict validation and permission checks on create, update, and delete operations on the form_definition table, preventing unauthorized DataHandler operations.

Additionally, review backend user permissions to ensure that only trusted users have write access to the form_definition table.

Follow the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for ongoing updates and security advisories.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart