CVE-2026-49738
LOWTYPO3 CMS - Broken Access Control in File Abstraction Layer
Title source: cnaDescription
The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://typo3.org/security/advisory/typo3-core-sa-2026-016
Patch patch
Git commit of main branch
https://github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d
Patch patch
Git commit of 13.4 branch
https://github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5
Scores
CVSS v4
2.1
EPSS
0.0003
EPSS Percentile
9.9%
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (10)
typo3/cms-core
0 - 10.4.57Packagist
typo3/cms-core
11.0.0 - 11.5.51Packagist
typo3/cms-core
12.0.0 - 12.4.46Packagist
typo3/cms-core
13.0.0 - 13.4.31Packagist
typo3/cms-core
14.0.0 - 14.3.3Packagist
TYPO3/TYPO3 CMS
< 10.4.57
TYPO3/TYPO3 CMS
11.0.0 - 11.5.51
TYPO3/TYPO3 CMS
12.0.0 - 12.4.46
TYPO3/TYPO3 CMS
13.0.0 - 13.4.31
TYPO3/TYPO3 CMS
14.0.0 - 14.3.3
Published
Jun 09, 2026
Tracked Since
Jun 09, 2026