CVE-2026-49742 Overview
CVE-2026-49742 is a path traversal vulnerability [CWE-22] in TYPO3 CMS that allows authenticated backend users with file download permissions to retrieve files from outside the intended storage scope. The flaw resides in the Media Module's interaction with the File Abstraction Layer (FAL) fallback storage, which resolves paths relative to the server's document root. Attackers can leverage this behavior to download sensitive files such as application logs, configuration artifacts, or other server-side resources. The issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2.
Critical Impact
Authenticated backend users can exfiltrate sensitive files from the TYPO3 server's document root, exposing logs and configuration data that aid further compromise.
Affected Products
- TYPO3 CMS versions 11.0.0 through 11.5.50
- TYPO3 CMS versions 12.0.0 through 12.4.45
- TYPO3 CMS versions 13.0.0 through 13.4.30 and 14.0.0 through 14.3.2
Discovery Timeline
- 2026-06-09 - CVE-2026-49742 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-49742
Vulnerability Analysis
The vulnerability exists in TYPO3 CMS's File Abstraction Layer (FAL), specifically in how the Media Module handles the fallback storage driver. The FAL is designed to abstract file operations across different storage backends. The fallback storage, used when no explicit storage is defined, resolves file paths relative to the web server's document root rather than a restricted file directory. When a backend user with file download privileges interacts with the Media Module, the download routine does not properly constrain requests to authorized storage locations. This allows the user to construct download requests that target arbitrary files within the document root.
Root Cause
The root cause is insufficient path validation [CWE-22] in the download handler associated with the FAL fallback storage. The handler trusts user-supplied identifiers and resolves them against the document root without enforcing that the resulting path remains within an approved storage scope. TYPO3's security advisory SA-2026-013 documents this behavior and the remediation introduced in the fixed releases.
Attack Vector
Exploitation requires an authenticated TYPO3 backend account that holds file download permissions. The attacker issues a download request through the Media Module referencing the fallback storage and a path that resolves to a sensitive file under the document root. Typical targets include var/log/* files, deployment artifacts, or configuration fragments that were placed within the web root. No additional user interaction is required, and the attack is fully network-reachable through the backend UI.
No public proof-of-concept code has been released. The vulnerability mechanism is described in the TYPO3 Security Advisory SA-2026-013 and addressed in the upstream commits ad636b6 and caa6b44.
Detection Methods for CVE-2026-49742
Indicators of Compromise
- Backend audit log entries showing file download actions against the FAL fallback storage by accounts that do not normally use the Media Module.
- Web server access log entries for TYPO3 backend file download endpoints referencing paths outside standard fileadmin/ directories.
- Unexpected reads of files such as var/log/typo3_*.log, deployment manifests, or configuration files located within the document root.
Detection Strategies
- Review TYPO3's sys_log table for download actions tied to the fallback storage identifier and correlate with the requesting backend user.
- Compare download request paths against the approved fileadmin storage roots; flag any traversal sequences or absolute paths.
- Hunt for backend users granted file download permissions who lack a legitimate business need, and audit their activity over the affected version window.
Monitoring Recommendations
- Forward TYPO3 backend audit logs and web server access logs to a centralized analytics platform for correlation and alerting on anomalous file access.
- Alert on repeated download requests from a single backend session targeting non-standard storage identifiers.
- Track changes to TYPO3 user group permissions, particularly grants of file download rights, and review them against approved access baselines.
How to Mitigate CVE-2026-49742
Immediate Actions Required
- Upgrade TYPO3 CMS to a fixed release: 11.5.51, 12.4.46, 13.4.31, or 14.3.3 or later, as listed in TYPO3 Security Advisory SA-2026-013.
- Audit backend user accounts and revoke file download permissions from users who do not require them.
- Review historical backend file download activity for signs of pre-patch exploitation against fallback storage paths.
Patch Information
TYPO3 published fixes in commits ad636b6183843b57c758a1e12174a75093ac93c3 and caa6b444d7ab1bdd1eb76a68004c8be73d98e6ae. The patches tighten path resolution in the FAL fallback storage driver so that download requests cannot reach files outside the permitted storage scope. Detailed remediation guidance is provided in TYPO3 Security Advisory SA-2026-013.
Workarounds
- Restrict backend access to trusted administrators only and remove the file download permission from non-essential roles until patches are applied.
- Relocate sensitive log and configuration files outside the web server's document root so that fallback storage resolution cannot reach them.
- Place the TYPO3 backend behind network controls such as IP allowlists or VPN-only access to limit the population of users who could abuse the flaw.
# Configuration example: upgrade TYPO3 via Composer to a fixed release
composer require typo3/cms-core:"^13.4.31" --update-with-dependencies
composer update typo3/cms-* --with-dependencies
vendor/bin/typo3 cache:flush
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
