CVE-2026-49741 Overview
CVE-2026-49741 is a high-severity vulnerability in TYPO3 CMS affecting versions 14.0.0 through 14.3.3. Backend users with write access to the form_definition database table can directly create, update, or delete form definition records via DataHandler. This bypasses the Form Framework's persistence validation and permission checks. The flaw allows injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection [CWE-89] and privilege escalation.
Critical Impact
Authenticated backend users can inject arbitrary form configurations to achieve SQL injection and privilege escalation against the TYPO3 backend.
Affected Products
- TYPO3 CMS 14.0.0
- TYPO3 CMS 14.x through 14.3.3
- TYPO3 Form Framework system extension (typo3/cms-form)
Discovery Timeline
- 2026-06-09 - CVE-2026-49741 published to NVD
- 2026-06-09 - Last updated in NVD database
- TYPO3-CORE-SA-2026-017 - TYPO3 security advisory published
Technical Details for CVE-2026-49741
Vulnerability Analysis
The TYPO3 Form Framework persists form configurations in the form_definition database table. The framework enforces validation and permission checks through a dedicated persistence layer when forms are created or modified through the Form Editor. The vulnerability allows backend users with table-level write permissions to manipulate form_definition records directly via DataHandler, the core TYPO3 record manipulation API.
Bypassing the persistence layer means form configurations are written without validation. An attacker can inject crafted YAML form definitions containing dangerous configuration directives. These directives re-enable attack vectors previously fixed in TYPO3-CORE-SA-2018-003, including arbitrary SQL queries through form finishers and privilege escalation through manipulated form processing logic.
Root Cause
The DataHandler write path for the form_definition table lacked a guard ensuring that mutations originate from the Form Framework's authorized persistence layer. The fix introduces a FormDefinitionPersistenceGuard and FormDefinitionPersistenceCommand that gate DataHandler operations against an explicit, framework-issued invocation context.
Attack Vector
The attack requires authenticated backend access with write permissions to the form_definition table. The attacker submits a DataHandler request targeting form_definition directly, supplying a malicious form configuration. Because the request bypasses the Form Framework, the persistence validation that normally rejects unsafe directives is never executed.
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Form\Domain\DTO\FormData;
use TYPO3\CMS\Form\Domain\DTO\SearchCriteria;
+use TYPO3\CMS\Form\Storage\Security\FormDefinitionPersistenceCommand;
+use TYPO3\CMS\Form\Storage\Security\FormDefinitionPersistenceGuard;
/**
* Repository class to fetch available form definitions.
Source: GitHub Commit c90493c
The second part of the patch adds a new hook class FormDefinitionDataHandlerHook that denies direct DataHandler writes unless the guard has granted a matching invocation:
+namespace TYPO3\CMS\Form\Hooks;
+
+use Symfony\Component\DependencyInjection\Attribute\Autoconfigure;
+use TYPO3\CMS\Core\DataHandling\DataHandler;
+use TYPO3\CMS\Core\SysLog\Action\Database as SystemLogDatabaseAction;
+use TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;
+use TYPO3\CMS\Core\Utility\MathUtility;
+use TYPO3\CMS\Form\Storage\Security\FormDefinitionPersistenceCommand;
+use TYPO3\CMS\Form\Storage\Security\FormDefinitionPersistenceGuard;
+
+/**
+ * Denies direct DataHandler write access to the form_definition table unless
+ * FormDefinitionPersistenceGuard has granted a matching invocation.
+ */
Source: GitHub Commit c90493c
Detection Methods for CVE-2026-49741
Indicators of Compromise
- Unexpected tce_db requests targeting the form_definition table from backend user sessions that do not normally use the Form Editor.
- New or modified rows in form_definition whose persistence_identifier or YAML payload contains references to finishers, validators, or database lookups not used by your forms.
- Backend user accounts with non-administrative roles holding write permissions on the form_definition table.
Detection Strategies
- Review TYPO3 system log (sys_log) entries for DataHandler actions on the tablename = form_definition with action = 1 (create) or action = 2 (update) outside of Form Editor workflows.
- Audit be_groups and be_users for any group granting table modify rights to form_definition and remove them where not strictly required.
- Diff stored form definitions against version-controlled originals to identify injected finishers or YAML directives.
Monitoring Recommendations
- Enable verbose backend audit logging and forward TYPO3 sys_log entries to a centralized SIEM for correlation.
- Alert on database errors from the TYPO3 connection user that resemble SQL syntax errors, which can indicate injection attempts via form finishers.
- Monitor for outbound HTTP requests originating from the TYPO3 PHP-FPM workers to non-approved destinations following form submissions.
How to Mitigate CVE-2026-49741
Immediate Actions Required
- Upgrade TYPO3 CMS to a fixed release of the 14.x branch as published in TYPO3-CORE-SA-2026-017.
- Restrict backend group permissions so that only trusted administrator roles can modify the form_definition table.
- Audit existing form definitions for unauthorized changes and restore from known-good backups where tampering is suspected.
Patch Information
The fix is delivered in TYPO3 commit c90493c13b633f328cf2c066182c90a1655ff0fc. It introduces FormDefinitionPersistenceGuard and FormDefinitionPersistenceCommand, plus the FormDefinitionDataHandlerHook that denies direct DataHandler write access to the form_definition table unless the guard has granted a matching invocation. See TYPO3 Security Advisory 2026-017 and the GitHub Commit Fix for details.
Workarounds
- Remove table modify access to form_definition from all non-administrator backend user groups until the patch can be applied.
- Disable the form system extension on installations that do not require the Form Framework.
- Place the TYPO3 backend behind IP allow-listing or VPN to reduce exposure of authenticated attack surface.
# Update TYPO3 to a patched 14.x release using Composer
composer require typo3/cms-form:"^14.3.4" --update-with-all-dependencies
vendor/bin/typo3 cache:flush
vendor/bin/typo3 database:updateschema
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
