CVE-2026-47351 Overview
CVE-2026-47351 is an information disclosure vulnerability in the TYPO3 CMS backend clipboard component. Authenticated backend users can insert arbitrary records and files into the clipboard without the system validating read permissions on those items. This permits low-privileged users to enumerate metadata about records and files they are not authorized to view. The flaw is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Authenticated TYPO3 backend users can bypass access control checks on the clipboard to gather information about records and files outside their permission scope, enabling reconnaissance of restricted content within the CMS.
Affected Products
- TYPO3 CMS versions 10.4.0 through 13.4.30
- TYPO3 CMS versions 14.0.0 through 14.3.2
- TYPO3 backend Clipboard component (typo3/sysext/backend/Classes/Clipboard/Clipboard.php)
Discovery Timeline
- 2026-06-09 - CVE-2026-47351 published to NVD
- 2026-06-09 - Last updated in NVD database
- TYPO3-CORE-SA-2026-014 - TYPO3 security advisory released
Technical Details for CVE-2026-47351
Vulnerability Analysis
The TYPO3 backend clipboard allows editors to collect records and files for batch operations such as copy, move, or delete. The vulnerable implementation in Clipboard.php accepted record and file references submitted by backend users without verifying that the calling user had read access on the underlying database row or file resource.
Because clipboard entries surface metadata, such as titles, identifiers, file names, and paths, an attacker with any backend account can iterate over record UIDs or file identifiers and observe whether they resolve to existing assets. This converts the clipboard feature into an enumeration oracle against the TYPO3 page tree, database tables, and file storages.
The issue requires an authenticated session with backend access, which limits exposure to insiders or attackers who already compromised low-privileged credentials.
Root Cause
The clipboard handler did not invoke TYPO3's permission framework before adding items. Specifically, neither database record access checks tied to Permission bitmasks nor file system folder access validations were performed before populating clipboard state.
Attack Vector
An authenticated backend user crafts requests to the clipboard endpoint referencing arbitrary record UIDs or file identifiers. The backend stores those references and renders them back to the user, disclosing metadata about restricted content. No special privileges, user interaction, or social engineering is required beyond a valid backend session.
use TYPO3\CMS\Core\Imaging\IconFactory;
use TYPO3\CMS\Core\Imaging\IconSize;
use TYPO3\CMS\Core\Localization\LanguageService;
+use TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException;
use TYPO3\CMS\Core\Resource\Exception\ResourceDoesNotExistException;
use TYPO3\CMS\Core\Resource\File;
use TYPO3\CMS\Core\Resource\Folder;
use TYPO3\CMS\Core\Resource\ProcessedFile;
use TYPO3\CMS\Core\Resource\ResourceFactory;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Core\Utility\MathUtility;
Source: TYPO3 Commit 2740707. The patch introduces InsufficientFolderAccessPermissionsException and the Permission bitmask import so that record and file additions to the clipboard are gated by access checks.
Detection Methods for CVE-2026-47351
Indicators of Compromise
- Backend user sessions issuing high volumes of clipboard add requests targeting sequential record UIDs or file identifiers.
- TYPO3 backend logs showing clipboard operations referencing tables or storages outside the user's normal working scope.
- Editor accounts touching records or files they have never opened through standard list or page modules.
Detection Strategies
- Audit TYPO3 sys_log entries for clipboard interactions correlated against the user's effective permissions on the referenced records.
- Inspect web server access logs for repeated POST requests to backend clipboard routes with varying record or file parameters from a single session.
- Compare clipboard contents per user against their be_users permission set to flag references to unauthorized records.
Monitoring Recommendations
- Forward TYPO3 backend and web server logs to a centralized analytics platform to baseline clipboard activity per editor role.
- Alert on backend accounts that enumerate identifiers across multiple tables or file storages within short time windows.
- Track patch state of TYPO3 instances and surface any environment still running versions in the affected ranges.
How to Mitigate CVE-2026-47351
Immediate Actions Required
- Upgrade TYPO3 CMS to a fixed release: 13.4.31 or later in the 13.x branch, or 14.3.3 or later in the 14.x branch.
- For sites on older long-term-support builds, apply the vendor-supplied ELTS patch corresponding to the 10.4–12.x lines.
- Review backend user accounts and disable or rotate credentials for accounts that no longer require access.
Patch Information
TYPO3 published fixes in commits 2740707 and 932fbb9, which add record and file access validation to Clipboard.php. Full guidance is provided in the TYPO3 Security Advisory TYPO3-CORE-SA-2026-014.
Workarounds
- Restrict backend access to trusted IP ranges through web server or reverse proxy rules until patching is complete.
- Reduce the number of backend accounts with editor or higher roles to minimize the population that can reach the clipboard.
- Enforce strong authentication, including multi-factor authentication, on all TYPO3 backend users.
# Verify installed TYPO3 version and update via Composer
php vendor/bin/typo3 --version
composer require typo3/cms-core:"^13.4.31" --update-with-dependencies
composer require typo3/cms-backend:"^13.4.31" --update-with-dependencies
php vendor/bin/typo3 cache:flush
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

