TYPO3 CMS - Broken Access Control in File Abstraction Layer
CVE-2026-49738

2.1LOW

Key Information:

Vendor: Typo3
Status: Typo3 Cms
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-49738?

The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Affected Version(s)

TYPO3 CMS 0 < 10.4.57

TYPO3 CMS 11.0.0 < 11.5.51

TYPO3 CMS 12.0.0 < 12.4.46

References

https://typo3.org/security/advisory/typo3-core-sa-2026-016

vendor-advisory

https://github.com/TYPO3/typo3/commit/44c2fa9807944136218...

patch

https://github.com/TYPO3/typo3/commit/150a983a5d687cedcfc...

patch

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

Wolfgang Klinger

Oliver Hader

CVE-2026-49738 Data

JSON