Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f4fb688c-4412-4426-b4b8-421ecf27b14a) · only source for this CVE.
CVSS VectorVendor: f4fb688c-4412-4426-b4b8-421ecf27b14a
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
AnalysisAI
Improper authorization in TYPO3 CMS Backend API routes allows authenticated backend users to retrieve file metadata for files and folders outside their permitted file mounts or storages. Specifically, the ImageProcessController and LinkController endpoints failed to call checkActionPermission('read') before returning resource data, letting any backend-authenticated user enumerate file system structure beyond their assigned access scope. No active exploitation has been reported and no public exploit code has been identified at time of analysis, but the low-complexity network-accessible nature of the flaw makes it straightforward for any backend user to abuse.
Technical ContextAI
TYPO3 CMS implements a file permission model based on 'file mounts' and 'storages' - administrative constructs that segment which areas of the file system each backend user role can access. CWE-862 (Missing Authorization) is the root cause: two Backend API controller classes, ImageProcessController.php and LinkController.php, were resolving file and folder objects from user-supplied identifiers using the ResourceFactory without subsequently verifying whether the requesting user held 'read' permission on the resolved resource. The commit diff confirms that the fix introduced explicit calls to $resource->checkActionPermission('read') in both controllers, and added exception handling for InsufficientFileAccessPermissionsException and InsufficientFolderAccessPermissionsException to return proper 403/error responses. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N) reflects a network-reachable, low-complexity flaw requiring only a low-privileged backend account, with impact limited to partial confidentiality (file metadata disclosure, not file content).
RemediationAI
Upgrade TYPO3 CMS to the patched release for the applicable branch: 10.4.57 is confirmed as the fix release for the 10.4.x branch (referenced as 'before 10.4.57' in the advisory). For branches 11.x through 14.x, the top of each listed affected range (11.5.51, 12.4.46, 13.4.31, 14.3.3) represents the last vulnerable release; the corresponding fix versions (inferred as 11.5.52, 12.4.47, 13.4.32, and 14.3.4 respectively) should be verified directly against the TYPO3 security advisory at https://typo3.org/security/advisory/typo3-core-sa-2026-015 before deployment. Upstream fix commits are available at https://github.com/TYPO3/typo3/commit/17a3b7830d5931725db5fdab0cfc76d479884c96 and https://github.com/TYPO3/typo3/commit/bfe7c354168f467726020ed49299dd209a455719. If immediate patching is not feasible, a compensating control is to audit and restrict backend user accounts to the minimum necessary roles, ensuring that no untrusted or externally-facing backend accounts exist - this reduces the population of users who could exploit the missing check. Disabling backend access from untrusted networks via IP allowlisting or WAF rules further limits exposure, at the cost of reduced editorial flexibility for remote users.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35399
GHSA-2j54-93q2-3hjq