Executive Summary

CVE-2026-49742 is a broken access control vulnerability in the Media Module of TYPO3 CMS. It allows backend users who have file download permissions to download files from the fallback storage of the file abstraction layer (FAL). The fallback storage resolves file paths relative to the server's document root, which means sensitive files such as log files could be exposed unintentionally.

This issue affects TYPO3 CMS versions 11.0.0 to 11.5.50, 12.0.0 to 12.4.45, 13.0.0 to 13.4.30, and 14.0.0 to 14.3.2. The vulnerability was fixed by denying downloads from the fallback storage for all users regardless of their permissions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized exposure of sensitive files stored in the fallback storage of TYPO3 CMS, such as log files. Backend users with file download permissions could exploit this to access files they should not have access to, potentially leading to information disclosure.

Such exposure could compromise the confidentiality of sensitive data, which might include system logs or other critical information that could be used for further attacks or to gain insights into the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves backend users with file download permissions being able to download files from the fallback storage of the TYPO3 File Abstraction Layer (FAL), potentially exposing sensitive files such as log files.

Detection would involve verifying if backend users can access or download files from the fallback storage (storage ID 0) via the Media Module or FileDownloadController.

Since the issue is related to access control in TYPO3 CMS, detection commands would focus on checking file download permissions and attempts to access fallback storage files.

• Review TYPO3 backend user permissions to identify users with file download rights.
• Check web server logs for requests to download files with paths indicating fallback storage access or unusual file downloads, especially log files.
• Use TYPO3 system logs or audit logs to detect file download actions by backend users targeting fallback storage files.

Specific commands are not provided in the resources, but general approaches include:

• Using grep or similar tools on web server logs to find download requests with suspicious paths, e.g., `grep -i 'download' /var/log/apache2/access.log | grep 'storage=0'`
• Querying TYPO3 database or backend logs for file download events by users with download permissions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update TYPO3 CMS to a patched version that fixes this vulnerability.

• Upgrade to TYPO3 versions 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS or later, where the vulnerability has been fixed.

The fix explicitly denies downloads from the fallback storage for all users, preventing unauthorized access to sensitive files.

Additionally, follow TYPO3 Security Guide recommendations and subscribe to the typo3-announce mailing list for ongoing security updates.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows backend users with file download permissions to access sensitive files such as log files from the fallback storage due to broken access control in TYPO3 CMS. Exposure of sensitive files can lead to unauthorized disclosure of personal or confidential information.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive and personal data to prevent data breaches.

Therefore, if exploited, this vulnerability could result in violations of these standards by exposing sensitive information that should be protected under these regulations.

Useful 0 Not Useful 0