CVE-2026-49738 Overview
CVE-2026-49738 is a path traversal vulnerability [CWE-22] in TYPO3 CMS. The GeneralUtility::isAllowedAbsPath() function performed a plain string prefix comparison without requiring a directory separator boundary. A path such as /var/www/html-other/secret.yaml was incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer (FAL) could create file storage definitions pointing to directories outside the project root, bypassing the intended path check. The flaw affects TYPO3 CMS versions before 10.4.57, 11.0.0–11.5.51, 12.0.0–12.4.46, 13.0.0–13.4.31, and 14.0.0–14.3.3.
Critical Impact
Authenticated administrators can bypass project root path restrictions and define file storage on directories outside the intended sandbox, leading to limited information disclosure or unintended file access.
Affected Products
- TYPO3 CMS versions before 10.4.57
- TYPO3 CMS 11.0.0 through 11.5.51, 12.0.0 through 12.4.46
- TYPO3 CMS 13.0.0 through 13.4.31, and 14.0.0 through 14.3.3
Discovery Timeline
- 2026-06-09 - CVE-2026-49738 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-49738
Vulnerability Analysis
The vulnerability resides in typo3/sysext/core/Classes/Utility/GeneralUtility.php, specifically in the isAllowedAbsPath() method. This method validates whether a given absolute path is permitted by checking that the path begins with the configured project or public path. The check used str_starts_with($path, Environment::getProjectPath()) without appending a trailing directory separator. As a result, any path that shared a common prefix with the project root, but resided in a sibling directory, was accepted as allowed.
When an administrator user with File Abstraction Layer access created a new file storage, the storage configuration accepted paths outside the project root. The backend treated the sibling directory as a valid storage location, granting read or write access to files that should have been outside the application boundary.
Root Cause
The root cause is improper path boundary validation. A prefix comparison without enforcing a directory separator at the boundary allows directory names that share a leading substring with the legitimate root (for example, html and html-other) to be confused. The function also did not normalize trailing separators before comparison.
Attack Vector
Exploitation requires high privileges. An authenticated administrator with access to manage file storages in the TYPO3 backend must configure a storage definition pointing to a sibling directory whose name extends the project root prefix. No user interaction is required beyond the administrator's own actions. The impact is limited to information exposure and unintended file operations within reachable sibling directories.
// Vulnerable code (before patch)
if (substr($path, 0, 6) === 'vfs://') {
return true;
}
return PathUtility::isAbsolutePath($path) && static::validPathStr($path)
&& (
str_starts_with($path, Environment::getProjectPath())
|| str_starts_with($path, Environment::getPublicPath())
|| PathUtility::isAllowedAdditionalPath($path)
);
// Patched code
if (substr($path, 0, 6) === 'vfs://') {
return true;
}
$path = PathUtility::sanitizeTrailingSeparator($path);
return PathUtility::isAbsolutePath($path) && static::validPathStr($path)
&& (
str_starts_with($path, Environment::getProjectPath() . '/')
|| str_starts_with($path, Environment::getPublicPath() . '/')
|| PathUtility::isAllowedAdditionalPath($path)
);
Source: TYPO3 GitHub commit 150a983a
Detection Methods for CVE-2026-49738
Indicators of Compromise
- New file storage entries in the sys_file_storage table referencing absolute paths outside the documented project root.
- File storage configurations whose base path shares a leading substring with the project path but resolves to a sibling directory (for example, /var/www/html-other/).
- Backend audit log entries showing administrator creation or modification of file storage definitions during the exposure window.
Detection Strategies
- Audit sys_file_storage records and verify that each configured base path resides strictly within Environment::getProjectPath() followed by a directory separator.
- Review backend user activity logs for tx_belog events related to sys_file_storage insert and update actions performed by administrator accounts.
- Compare currently running TYPO3 core version against fixed releases listed in the TYPO3 advisory.
Monitoring Recommendations
- Monitor filesystem access from the PHP-FPM or web server process to directories sibling to the TYPO3 document root.
- Alert on creation of new file mounts or storages by backend administrators outside maintenance windows.
- Track changes to TYPO3 core files and configuration through file integrity monitoring.
How to Mitigate CVE-2026-49738
Immediate Actions Required
- Upgrade TYPO3 CMS to a fixed release: 10.4.57, 11.5.52, 12.4.47, 13.4.32, or 14.3.4 or later.
- Review and remove any unauthorized sys_file_storage entries whose base path lies outside the project root.
- Restrict the number of accounts with administrator-level access to the File Abstraction Layer.
Patch Information
The fix appends a trailing / to Environment::getProjectPath() and Environment::getPublicPath() before the prefix comparison and applies PathUtility::sanitizeTrailingSeparator() to the input path. See the TYPO3 Security Advisory TYPO3-CORE-SA-2026-016 and the corresponding commits 150a983a and 44c2fa98.
Workarounds
- Limit administrator backend accounts to trusted personnel only until patching is complete.
- Place the TYPO3 project root in a directory whose name has no sibling directories sharing a common prefix.
- Configure filesystem permissions so the web server user cannot read sibling directories adjacent to the project root.
# Verify installed TYPO3 core version after patching
composer show typo3/cms-core | grep versions
# Audit configured file storages for paths outside the project root
mysql -e "SELECT uid, name, configuration FROM sys_file_storage;" typo3_db
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
