CVE-2026-46724 Overview
CVE-2026-46724 is a path traversal vulnerability [CWE-22] affecting a TYPO3 file indexer extension. The file indexer fails to normalize the configured directory path before reading documents from the server file system. A backend user with permission to edit indexer configurations can supply path traversal sequences such as ../ to index documents from arbitrary locations on the server. This results in unauthorized disclosure of file contents outside the intended indexing scope. The flaw requires authenticated access with elevated backend privileges, which limits exploitation to users who already hold configuration rights within the TYPO3 backend.
Critical Impact
Authenticated backend users can read arbitrary server-side files by injecting path traversal sequences into indexer directory configurations, exposing sensitive application data and credentials.
Affected Products
- TYPO3 file indexer extension (see vendor advisory TYPO3-EXT-SA-2026-011)
- TYPO3 CMS deployments using the affected indexer extension
- Backend installations where editors hold indexer configuration permissions
Discovery Timeline
- 2026-05-19 - CVE-2026-46724 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-46724
Vulnerability Analysis
The vulnerability stems from missing path normalization in the file indexer logic. When a backend user configures a target directory for indexing, the extension accepts the value without canonicalizing the path or validating it against an allowlist. Sequences like ../../../etc traverse outside the intended document root. The indexer then reads and processes files from the resolved location, exposing their contents through the indexed search results or stored index records.
The attack vector requires network access to the TYPO3 backend and authenticated privileges to modify indexer configurations. Exploitation does not require user interaction beyond the attacker's own configuration changes. The impact is limited to confidentiality of file system data accessible to the web server process. Integrity and availability of the host system remain unaffected.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory. The indexer code path concatenates or passes the user-supplied directory string directly to file system read operations without invoking a canonicalization routine such as realpath() and without verifying that the resolved path remains within an approved base directory.
Attack Vector
An authenticated backend user with indexer configuration rights submits a directory path containing traversal sequences. The indexer resolves the path at runtime and reads files from the attacker-chosen location. Sensitive targets include configuration files, credential stores, private keys, and source code outside the public web root. Refer to the TYPO3 Security Advisory for technical details specific to the affected extension version.
Detection Methods for CVE-2026-46724
Indicators of Compromise
- Indexer configuration records containing ../, ..\, or absolute paths pointing outside the configured document root.
- TYPO3 backend audit log entries showing modifications to indexer directory settings by non-administrative users.
- Web server file access logs recording reads of sensitive files such as /etc/passwd, typo3conf/LocalConfiguration.php, or .env from the indexer process context.
Detection Strategies
- Review the TYPO3 backend change history for recent edits to indexer configuration entities.
- Inspect stored indexer paths in the database and flag any value containing traversal tokens or absolute references outside expected directories.
- Correlate file system access events from the web server user with indexer execution windows to identify out-of-scope reads.
Monitoring Recommendations
- Enable verbose audit logging on the TYPO3 backend, focusing on extension configuration changes.
- Monitor outbound search index content for unexpected file paths or sensitive strings such as private key headers.
- Alert on any indexer job that resolves paths outside the documented content directories.
How to Mitigate CVE-2026-46724
Immediate Actions Required
- Apply the patched version of the affected TYPO3 extension as listed in the TYPO3 Security Advisory.
- Audit all existing indexer configurations and remove entries containing path traversal sequences or paths outside approved directories.
- Reduce the number of backend users holding indexer configuration permissions to the minimum required.
Patch Information
The TYPO3 security team has published advisory TYPO3-EXT-SA-2026-011 with patched extension versions. Upgrade the affected extension to the fixed release identified in the advisory. After patching, re-run indexer jobs to regenerate clean index data and discard any previously indexed content that may include files read through the traversal.
Workarounds
- Restrict the backend permission that allows editing of indexer configurations to trusted administrators only.
- Apply file system-level access controls so the web server user cannot read sensitive files outside the document root.
- Implement a reverse-proxy or WAF rule that inspects backend form submissions for traversal sequences in indexer fields.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
