CVE-2026-46723 Overview
CVE-2026-46723 is an information disclosure vulnerability in TYPO3 affecting the page and tt_content indexers. The additional_tables configuration accepts arbitrary table and field names without validation. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index. This exposes credentials, password hashes, and other restricted data through standard search queries. The flaw is classified as [CWE-668] Exposure of Resource to Wrong Sphere.
Critical Impact
Authenticated backend users with high privileges can exfiltrate sensitive data from internal TYPO3 tables by injecting arbitrary table and field references into indexer configurations.
Affected Products
- TYPO3 CMS page indexer extension
- TYPO3 CMS tt_content indexer extension
- TYPO3 installations exposing indexer configuration to backend editors
Discovery Timeline
- 2026-05-19 - CVE-2026-46723 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-46723
Vulnerability Analysis
The vulnerability resides in how the page and tt_content indexers process the additional_tables configuration parameter. The indexer accepts table and field identifiers supplied by backend users and incorporates them into index-building queries without enforcing an allow-list. Attackers with backend access can reference any table in the TYPO3 database, including be_users, fe_users, or other tables holding password hashes, session data, and personally identifiable information. The indexer then writes the referenced field values into the public search index, where they become discoverable through standard query interfaces. The issue is tracked under CWE-668, which covers improper resource exposure across security boundaries.
Root Cause
The root cause is missing input validation on the additional_tables configuration field. The indexer treats user-supplied identifiers as trusted and does not restrict access to tables outside the indexer's intended scope. No authorization check confirms that the configured tables fall within the data classification appropriate for full-text indexing.
Attack Vector
Exploitation requires an authenticated backend account with permission to edit indexer configurations. The attacker modifies the additional_tables parameter to point at internal tables and fields containing sensitive data. After the next indexing run, the data appears in the search index and can be retrieved through normal search queries. No special tooling is required, and the exploitation pattern leaves traces only in indexer configuration history.
The vulnerability mechanism is described in the TYPO3 Security Advisory TYPO3-EXT-SA-2026-011. No public proof-of-concept code is available.
Detection Methods for CVE-2026-46723
Indicators of Compromise
- Modifications to indexer configuration records referencing tables outside the typical content scope, such as be_users, fe_users, sys_log, or sys_registry.
- Search index entries containing strings that match password hash formats, email addresses, or session tokens.
- Backend audit log entries showing edits to indexer additional_tables settings by non-administrative accounts.
Detection Strategies
- Audit current indexer configurations for any additional_tables values that reference internal TYPO3 system tables.
- Run targeted search queries against the live index for known sensitive patterns (hash prefixes, internal usernames) to confirm exposure.
- Review TYPO3 backend change logs for recent edits to indexer extension configurations correlated with anomalous user sessions.
Monitoring Recommendations
- Alert on any change to indexer additional_tables configuration outside an approved change window.
- Monitor search index size and content growth for sudden spikes following configuration changes.
- Track backend user permission grants that include indexer configuration rights and review them quarterly.
How to Mitigate CVE-2026-46723
Immediate Actions Required
- Apply the fixed indexer extension version referenced in the TYPO3 Security Advisory TYPO3-EXT-SA-2026-011.
- Restrict the backend permission to edit indexer configurations to trusted administrators only.
- Rebuild the search index after patching to remove any sensitive data already copied into it.
- Rotate credentials and session tokens that may have been exposed through the index.
Patch Information
TYPO3 has released a fixed version of the affected indexer extension. Refer to the TYPO3 Security Advisory TYPO3-EXT-SA-2026-011 for the exact patched versions and upgrade instructions. Confirm the installed extension version after upgrade and verify the patched build matches vendor-published artifacts.
Workarounds
- Remove the indexer configuration edit permission from all non-administrator backend groups until the patch is applied.
- Manually review and clean the additional_tables setting on every indexer configuration record, restricting it to expected content tables.
- Purge and rebuild the search index to eliminate any previously indexed sensitive fields.
# Configuration example
# Review affected indexer configurations in the TYPO3 database
# Inspect additional_tables values for unexpected references
SELECT uid, title, additional_tables
FROM tx_indexedsearch_config
WHERE additional_tables IS NOT NULL
AND additional_tables <> '';
# Restrict backend group permissions (TypoScript / backend user group config)
options.indexer.disableConfigEdit = 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
