CVE-2026-47350: TYPO3 CMS Auth Bypass Vulnerability

CVE-2026-47350 Overview

CVE-2026-47350 is a missing authorization vulnerability [CWE-862] in the TYPO3 CMS content management system. Authenticated backend users can move records from a source page to a different target page without holding edit permissions on the source page. The flaw resides in the DataHandler component, which failed to verify update permissions on the source page record before processing a move operation. The issue affects TYPO3 CMS versions 13.0.0 through 13.4.31 and 14.0.0 through 14.3.3.

Critical Impact
Backend users with limited privileges can relocate records out of pages they are not authorized to modify, breaking the editorial permission model and enabling unauthorized data manipulation across the content tree.

Affected Products

TYPO3 CMS versions 13.0.0 through 13.4.31
TYPO3 CMS versions 14.0.0 through 14.3.3
TYPO3 Core DataHandler component in typo3/sysext/core

Discovery Timeline

2026-06-09 - CVE-2026-47350 published to NVD
2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-47350

Vulnerability Analysis

The vulnerability stems from an incomplete permission check inside the TYPO3 DataHandler class, which orchestrates all create, update, and move operations in the backend. When a record was moved to a different page identifier (pid), DataHandler verified insert permissions on the target page but did not verify update permissions on the source page. Backend users could therefore move records away from pages they were never authorized to edit, provided they could insert into a destination page they controlled.

This represents a broken access control failure mapped to [CWE-862] Missing Authorization. The impact is limited to integrity of records relative to the source page hierarchy. Confidentiality and availability are not directly affected, and the attacker must already hold an authenticated backend session.

Root Cause

The DataHandler::moveRecord flow contained a conditional branch handling the case where the source pid differs from the target pid. That branch only invoked hasPermissionToInsert() against the target page. It never called hasPermissionToUpdate() against the source page record, leaving the source page completely unchecked during move operations.

Attack Vector

An authenticated backend user with insert permissions on any destination page can issue a move request through the standard TYPO3 backend interface or DataHandler API. The request specifies a source record located on a page the user cannot edit. Because the source-side permission check was missing, the move succeeds and the record is relocated. No user interaction beyond the attacker's own action is required.

php

// Security patch in DataHandler.php (TYPO3 fix)
} else {
    if ($isMovingToDifferentPid) {
+       if (!$this->hasPermissionToUpdate($table, $sourcePageRecord)) {
+           // When record is moved to different target, update permissions on source page are needed
+           $this->log($table, $sourceUid, SystemLogDatabaseAction::MOVE, null,
+               SystemLogErrorClassification::USER_ERROR,
+               'Attempt to move record {table}:{uid} to pid "{targetPid}" without having permissions to update the source page (uid={sourcePid})',
+               null,
+               ['table' => $table, 'uid' => $sourceUid, 'targetPid' => $updateFields['pid'], 'sourcePid' => $sourcePid],
+               $sourcePid);
+           return;
+       }
        if (!$this->hasPermissionToInsert($table, $updateFields['pid'], $targetPageRecord)) {
            // When record is moved to different page, insert permissions on target are needed
            $this->log($table, $sourceUid, SystemLogDatabaseAction::MOVE, null,
                SystemLogErrorClassification::USER_ERROR,
                'Attempt to move record {table}:{uid} to pid "{targetPid}" without having permissions to insert',
                null,
                ['table' => $table, 'uid' => $sourceUid, 'targetPid' => $updateFields['pid']],
                $updateFields['pid']);

Source: TYPO3 commit 1953569

Detection Methods for CVE-2026-47350

Indicators of Compromise

TYPO3 sys_log entries with SystemLogDatabaseAction::MOVE referencing source pages the acting backend user does not own or normally edit.
Records appearing under pages where the most recent modifying user has no historical edit activity on the prior parent page.
Unexpected drops in record counts on protected pages without corresponding deletion log entries.

Detection Strategies

Audit the sys_log table for MOVE actions and correlate the userid against backend group permissions on the original pid.
Review record histories via the TYPO3 backend History/Undo module to identify moves that crossed permission boundaries.
Compare snapshots of pages and content tables against backup baselines to detect records that changed pid without a corresponding authorized workflow.

Monitoring Recommendations

Forward TYPO3 backend logs to a centralized logging or SIEM platform and alert on MOVE actions performed by non-administrative users.
Monitor for repeated move operations from a single backend user across multiple source pages within short time windows.
Track changes to backend group and user permission assignments to detect attempts to chain this flaw with permission tampering.

How to Mitigate CVE-2026-47350

Immediate Actions Required

Upgrade TYPO3 CMS to version 13.4.32 (or later in the 13.x branch) or version 14.3.4 (or later in the 14.x branch) as published in the TYPO3 security advisory.
Review backend user and group permissions to enforce least privilege on page-level edit rights.
Audit recent sys_logMOVE entries to identify any unauthorized relocations performed before patching.

Patch Information

The TYPO3 security team released fixes in commits 1953569 and c9898d2. The patch adds a hasPermissionToUpdate() check on the source page record inside DataHandler before allowing a move to a different pid. Move attempts without the required source-page update permission are now rejected and logged as a USER_ERROR. Full vendor details are available in the TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-012.

Workarounds

If immediate patching is not feasible, restrict backend access so that only trusted editors hold insert permissions on any pages within the site tree.
Temporarily disable record move functionality for non-administrative backend groups via Backend User TSconfig until the patched version is deployed.
Increase logging verbosity for DataHandler operations and review move actions daily until the upgrade is applied.

bash

# Verify installed TYPO3 version against fixed releases
php vendor/bin/typo3 --version

# Update via Composer to a patched release
composer require typo3/cms-core:"^13.4.32 || ^14.3.4" -W

# Clear caches after upgrade
php vendor/bin/typo3 cache:flush

CVE-2026-47350 Overview

Critical Impact
Backend users with limited privileges can relocate records out of pages they are not authorized to modify, breaking the editorial permission model and enabling unauthorized data manipulation across the content tree.

Affected Products

TYPO3 CMS versions 13.0.0 through 13.4.31
TYPO3 CMS versions 14.0.0 through 14.3.3
TYPO3 Core DataHandler component in typo3/sysext/core

Discovery Timeline

2026-06-09 - CVE-2026-47350 published to NVD
2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-47350

Vulnerability Analysis

Root Cause

Attack Vector

php

// Security patch in DataHandler.php (TYPO3 fix)
} else {
    if ($isMovingToDifferentPid) {
+       if (!$this->hasPermissionToUpdate($table, $sourcePageRecord)) {
+           // When record is moved to different target, update permissions on source page are needed
+           $this->log($table, $sourceUid, SystemLogDatabaseAction::MOVE, null,
+               SystemLogErrorClassification::USER_ERROR,
+               'Attempt to move record {table}:{uid} to pid "{targetPid}" without having permissions to update the source page (uid={sourcePid})',
+               null,
+               ['table' => $table, 'uid' => $sourceUid, 'targetPid' => $updateFields['pid'], 'sourcePid' => $sourcePid],
+               $sourcePid);
+           return;
+       }
        if (!$this->hasPermissionToInsert($table, $updateFields['pid'], $targetPageRecord)) {
            // When record is moved to different page, insert permissions on target are needed
            $this->log($table, $sourceUid, SystemLogDatabaseAction::MOVE, null,
                SystemLogErrorClassification::USER_ERROR,
                'Attempt to move record {table}:{uid} to pid "{targetPid}" without having permissions to insert',
                null,
                ['table' => $table, 'uid' => $sourceUid, 'targetPid' => $updateFields['pid']],
                $updateFields['pid']);

Source: TYPO3 commit 1953569

Detection Methods for CVE-2026-47350

Indicators of Compromise

TYPO3 sys_log entries with SystemLogDatabaseAction::MOVE referencing source pages the acting backend user does not own or normally edit.
Records appearing under pages where the most recent modifying user has no historical edit activity on the prior parent page.
Unexpected drops in record counts on protected pages without corresponding deletion log entries.

Detection Strategies

Audit the sys_log table for MOVE actions and correlate the userid against backend group permissions on the original pid.
Review record histories via the TYPO3 backend History/Undo module to identify moves that crossed permission boundaries.
Compare snapshots of pages and content tables against backup baselines to detect records that changed pid without a corresponding authorized workflow.

Monitoring Recommendations

Forward TYPO3 backend logs to a centralized logging or SIEM platform and alert on MOVE actions performed by non-administrative users.
Monitor for repeated move operations from a single backend user across multiple source pages within short time windows.
Track changes to backend group and user permission assignments to detect attempts to chain this flaw with permission tampering.

How to Mitigate CVE-2026-47350

Immediate Actions Required

Upgrade TYPO3 CMS to version 13.4.32 (or later in the 13.x branch) or version 14.3.4 (or later in the 14.x branch) as published in the TYPO3 security advisory.
Review backend user and group permissions to enforce least privilege on page-level edit rights.
Audit recent sys_logMOVE entries to identify any unauthorized relocations performed before patching.

Patch Information

Workarounds

If immediate patching is not feasible, restrict backend access so that only trusted editors hold insert permissions on any pages within the site tree.
Temporarily disable record move functionality for non-administrative backend groups via Backend User TSconfig until the patched version is deployed.
Increase logging verbosity for DataHandler operations and review move actions daily until the upgrade is applied.

bash

# Verify installed TYPO3 version against fixed releases
php vendor/bin/typo3 --version

# Update via Composer to a patched release
composer require typo3/cms-core:"^13.4.32 || ^14.3.4" -W

# Clear caches after upgrade
php vendor/bin/typo3 cache:flush

CVE-2026-47350: TYPO3 CMS Auth Bypass Vulnerability

CVE-2026-47350 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-47350

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-47350

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-47350

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-47350: TYPO3 CMS Auth Bypass Vulnerability

CVE-2026-47350 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-47350

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-47350

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-47350

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform