CVE-2026-0859 Overview
CVE-2026-0859 is an insecure deserialization vulnerability affecting the TYPO3 content management system's mail-file spool functionality. Local users with write access to the spool directory can craft malicious serialized files that are deserialized during the execution of the mailer:spool:send command, enabling arbitrary PHP code execution on the web server.
This vulnerability represents a significant risk in shared hosting environments or scenarios where multiple users have access to the TYPO3 installation's file system. The deserialization flaw allows attackers to leverage PHP's object injection capabilities to execute arbitrary code within the context of the web server process.
Critical Impact
Local attackers with write access to the mail spool directory can achieve arbitrary PHP code execution on the web server through crafted serialized payloads.
Affected Products
- TYPO3 CMS versions 10.0.0 through 10.4.54
- TYPO3 CMS versions 11.0.0 through 11.5.48
- TYPO3 CMS versions 12.0.0 through 12.4.40
- TYPO3 CMS versions 13.0.0 through 13.4.22
- TYPO3 CMS versions 14.0.0 through 14.0.1
Discovery Timeline
- 2026-01-13 - CVE-2026-0859 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-0859
Vulnerability Analysis
This vulnerability falls under CWE-502 (Deserialization of Untrusted Data), a well-documented security weakness where applications deserialize data from untrusted sources without proper validation. In TYPO3's implementation, the mail-file spool mechanism stores email messages as serialized PHP objects in a designated spool directory. When the mailer:spool:send CLI command is executed, these files are read and deserialized to reconstruct the email objects for delivery.
The fundamental security flaw lies in the lack of integrity verification or content validation before deserialization occurs. PHP's unserialize() function, when processing maliciously crafted serialized data, can instantiate arbitrary classes and trigger magic methods such as __wakeup(), __destruct(), or __toString(). Attackers who can write files to the spool directory can exploit this behavior to construct a serialized payload that, upon deserialization, triggers a chain of method calls (known as a "gadget chain") leading to arbitrary code execution.
The local attack vector requires the attacker to have write access to the spool directory, which limits the exposure compared to remote exploitation scenarios. However, in multi-tenant environments, shared hosting configurations, or systems where file upload functionality exists, this prerequisite may be easier to satisfy than initially apparent.
Root Cause
The root cause of this vulnerability is the unsafe deserialization of user-controllable file contents without implementing proper security controls. The mail spool implementation trusts the integrity and authenticity of files within the spool directory, assuming only legitimate serialized email objects will be present. This trust model fails when attackers gain write access to the spool directory, allowing them to inject malicious serialized objects that exploit PHP's deserialization behavior.
The absence of cryptographic signatures, integrity checks, or allowlist-based class filtering during the deserialization process enables the exploitation of this vulnerability through PHP object injection techniques.
Attack Vector
The attack follows a local privilege escalation pattern requiring file system access. An attacker must first obtain write permissions to the TYPO3 mail spool directory, which may be achieved through:
- Compromised user accounts with legitimate file system access
- Other vulnerabilities that permit arbitrary file writes
- Shared hosting misconfigurations
- Compromised FTP/SFTP credentials
Once write access is obtained, the attacker crafts a malicious serialized PHP object leveraging available gadget chains within TYPO3 or its dependencies. This malicious file is placed in the spool directory. When the system administrator or a scheduled cron job executes the mailer:spool:send command, the malicious payload is deserialized, triggering the embedded code execution logic.
The vulnerability mechanism involves PHP's native serialization format being exploited through property-oriented programming (POP) chains. See the TYPO3 Security Advisory for complete technical details on the affected code paths and remediation approach.
Detection Methods for CVE-2026-0859
Indicators of Compromise
- Unusual or unexpected files appearing in the TYPO3 mail spool directory with suspicious serialized content
- Web server process spawning unexpected child processes or network connections following spool processing
- Anomalous PHP error logs indicating deserialization failures or class instantiation errors
- Unauthorized modifications to the spool directory permissions or ownership
Detection Strategies
- Monitor file system activity in the TYPO3 mail spool directory for unauthorized writes or unexpected file creations
- Implement file integrity monitoring (FIM) to detect modifications to critical TYPO3 directories including the mail spool
- Review web server and PHP error logs for deserialization-related exceptions or unusual class loading patterns
- Deploy endpoint detection solutions to identify suspicious process execution chains originating from PHP processes
Monitoring Recommendations
- Enable detailed logging for the mailer:spool:send command execution and monitor for abnormal behavior
- Configure alerts for file creation events in the spool directory from non-standard sources
- Implement application-level logging to track command execution patterns and identify unauthorized CLI access
- Monitor system call activity from PHP-FPM or Apache/nginx worker processes for signs of code execution
How to Mitigate CVE-2026-0859
Immediate Actions Required
- Update TYPO3 CMS to the latest patched version immediately addressing CVE-2026-0859
- Review and restrict file system permissions on the mail spool directory to limit write access
- Audit user accounts and processes with access to the TYPO3 installation directories
- Inspect the mail spool directory for any suspicious or unexpected files and remove them
Patch Information
TYPO3 has released security patches to address this deserialization vulnerability. The fixes are available through multiple commits in the TYPO3 GitHub repository:
For complete details on affected versions and upgrade paths, refer to the official TYPO3 Security Advisory TYPO3-CORE-SA-2026-004.
Workarounds
- Restrict write access to the mail spool directory to only the web server user, removing access from other local users
- Consider switching from file-based mail spooling to alternative transport methods such as database or memory-based queuing
- Implement strict file system permissions using chmod 700 on the spool directory to prevent unauthorized access
- Deploy application-level access controls to limit which processes can interact with the spool directory
# Restrict spool directory permissions
chmod 700 /path/to/typo3/var/spool
chown www-data:www-data /path/to/typo3/var/spool
# Verify current permissions
ls -la /path/to/typo3/var/spool
# Optional: Move to alternative mail transport by updating LocalConfiguration.php
# Consult TYPO3 documentation for switching mail transport methods
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
