TYPO3 CMS – Broken Access Control in Media Module

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Basic Information

ID CVE-2026-49742

Source TYPO3

Published Jun 9, 2026 at 10:54

Modified Jun 9, 2026 at 11:30

Affected Product

Vendor TYPO3

Product TYPO3 CMS

Version 11.0.0

Affected Versions TYPO3 TYPO3 CMS 11.0.0
TYPO3 TYPO3 CMS 12.0.0
TYPO3 TYPO3 CMS 13.0.0
TYPO3 TYPO3 CMS 14.0.0

CWE Classification

CWE-22 CWE-200

References

{
    "lastseen": "",
    "description": "Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.",
    "published": "2026-06-09T10:54:58.139Z",
    "modified": "2026-06-09T11:30:34.203Z",
    "type": "cve",
    "title": "TYPO3 CMS - Broken Access Control in Media Module",
    "source": "TYPO3",
    "references": "https://typo3.org/security/advisory/typo3-core-sa-2026-013\nhttps://github.com/TYPO3/typo3/commit/caa6b444d7ab1bdd1eb76a68004c8be73d98e6ae\nhttps://github.com/TYPO3/typo3/commit/ad636b6183843b57c758a1e12174a75093ac93c3",
    "id": "CVE-2026-49742",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "TYPO3 TYPO3 CMS 11.0.0\nTYPO3 TYPO3 CMS 12.0.0\nTYPO3 TYPO3 CMS 13.0.0\nTYPO3 TYPO3 CMS 14.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "TYPO3 CMS",
    "version": "11.0.0",
    "vendor": "TYPO3",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

TYPO3 CMS – Broken Access Control in Media Module_CVE-2026-49742