Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f4fb688c-4412-4426-b4b8-421ecf27b14a) · only source for this CVE.
CVSS VectorVendor: f4fb688c-4412-4426-b4b8-421ecf27b14a
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.
AnalysisAI
Missing authorization in TYPO3 CMS's DataHandler allows authenticated backend users with low privileges to move content records across pages without holding edit permissions on the source page. The moveRecord() method in DataHandler.php validated destination-page access but omitted the symmetrical check on the source page, enabling unauthorized restructuring of the content hierarchy. Affected versions are 13.0.0-13.4.31 and 14.0.0-14.3.3; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Technical ContextAI
TYPO3 CMS routes all backend data manipulation - including cross-page record moves - through a central DataHandler class located at typo3/sysext/core/Classes/DataHandling/DataHandler.php. The moveRecord() method is responsible for relocating database records between page nodes in the content tree. CWE-862 (Missing Authorization) identifies the root cause: the method enforced access controls on the destination page but contained no guard verifying that the acting backend user held update rights on the source page. The commit diff confirms the fix inserts a hasPermissionToUpdate($table, $sourcePageRecord) call immediately before the move proceeds; without this, the DataHandler relied solely on destination-side checks. The TYPO3 backend permission model is role-based, with be_users and be_groups records controlling which page subtrees and tables an editor may modify, making the omission a clear privilege boundary violation within the CMS authorization model.
RemediationAI
Apply the upstream patches corresponding to your TYPO3 branch: commit 195356996a60e40aeb2cd3e45a5f5c8940d5e116 addresses the 13.x line and commit c9898d2e67608eda78f8bd1f06ee9cf05a872a56 addresses the 14.x line, both available on the TYPO3 GitHub repository. The exact patched release versions (e.g., 13.4.32, 14.3.4) are not specified in the available input data and must be confirmed via the vendor advisory at https://typo3.org/security/advisory/typo3-core-sa-2026-012 before deploying. If an immediate upgrade is operationally infeasible, audit all backend user group (be_groups) configurations and ensure editor accounts are granted only the minimum required page mount and table permissions; removing move/drag-and-drop capabilities from untrusted editor roles via the backend access module will mitigate the risk. Note that tightening user group permissions may disrupt legitimate editorial workflows and should be tested in a staging environment before applying to production.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35397
GHSA-qcmw-6rm2-5x78