CVE-2026-6553 Overview
CVE-2026-6553 is a Sensitive Data Exposure vulnerability in TYPO3 CMS version 14.2.0. When backend users change their passwords via the user settings module, the cleartext password is incorrectly stored in the uc and user_settings fields of the be_users database table. This represents a critical violation of password security best practices, as passwords should only be stored in hashed form.
Critical Impact
Backend user passwords are stored in cleartext within the database, enabling attackers with database access to harvest credentials for privilege escalation, lateral movement, and account takeover attacks.
Affected Products
- TYPO3 CMS version 14.2.0
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-6553 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-6553
Vulnerability Analysis
This vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information). The flaw occurs in the backend user settings module of TYPO3 CMS when processing password change requests. Instead of properly sanitizing the password data before serialization, the plaintext password value is inadvertently stored in the serialized user settings data structure.
The vulnerability is network-accessible and requires some user interaction to trigger (a backend user must change their password through the settings module). Once exploited, attackers who gain access to the database—whether through SQL injection, backup theft, or compromised database credentials—can extract plaintext passwords for all affected backend users.
Root Cause
The root cause lies in the UserSettingsDatabaseEditRow form data provider and the UserSettingsSchema class, which failed to exclude password fields from the serialized user settings data. When user settings are persisted to the database, password values were being included in the serialized data without proper filtering or sanitization.
Attack Vector
An attacker can exploit this vulnerability through the following attack chain:
- Database Access Acquisition: The attacker first gains access to the TYPO3 database through various means such as SQL injection in another component, compromised database credentials, access to database backups, or insider access
- Credential Extraction: Query the be_users table to extract the uc and user_settings fields containing serialized data with cleartext passwords
- Credential Abuse: Use harvested credentials for account takeover, privilege escalation, or credential stuffing attacks against other systems where users may have reused passwords
// Security patch in UserSettingsDatabaseEditRow.php
// Source: https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b322ae3e2d2f4e302624c291
*/
readonly class UserSettingsDatabaseEditRow implements FormDataProviderInterface
{
+ public function __construct(private UserSettingsSchema $userSettingsSchema) {}
+
public function addData(array $result): array
{
if ($result['command'] !== 'edit' || $result['tableName'] !== 'be_users_settings') {
The patch introduces dependency injection for the UserSettingsSchema class, enabling proper filtering of sensitive password data before serialization.
Detection Methods for CVE-2026-6553
Indicators of Compromise
- Unexplained queries against the be_users table targeting uc or user_settings columns
- Database exports or backups accessed by unauthorized users
- Evidence of SQL injection attempts targeting TYPO3 installations
- Multiple failed login attempts followed by successful authentication using harvested credentials
Detection Strategies
- Implement database activity monitoring (DAM) to detect unusual SELECT queries on the be_users table
- Review database access logs for unauthorized connections or bulk data extraction
- Deploy intrusion detection signatures for SQL injection patterns targeting TYPO3
- Audit web application firewall (WAF) logs for suspicious POST requests to backend user settings endpoints
Monitoring Recommendations
- Enable query logging on the database server and monitor for access to sensitive tables
- Configure alerts for database backup operations performed outside of scheduled windows
- Monitor for unusual backend authentication patterns that may indicate credential abuse
- Implement file integrity monitoring on TYPO3 core files to detect unauthorized modifications
How to Mitigate CVE-2026-6553
Immediate Actions Required
- Update TYPO3 CMS to the patched version immediately
- Force password resets for all backend users after applying the patch
- Audit the be_users table for existing cleartext passwords in the uc and user_settings fields
- Review database access logs for any indication of unauthorized data access
- Rotate any credentials that may have been exposed
Patch Information
The vulnerability has been addressed by TYPO3 in commit 9a6e913f70767f63b322ae3e2d2f4e302624c291. The fix modifies the UserSettingsDatabaseEditRow class to properly filter password fields from serialized user settings data before database storage. For detailed patch information, refer to the TYPO3 Security Advisory SA-2026-005 and the GitHub commit.
Workarounds
- Restrict database access to only essential personnel and applications pending the patch
- Implement network segmentation to limit database server exposure
- Enable database encryption at rest to protect stored data
- Configure database user permissions to use read-only accounts where possible
- Consider temporarily disabling the backend user settings password change functionality until patched
# Configuration example: Restrict database access
# MySQL - Grant minimal permissions to TYPO3 application user
REVOKE ALL PRIVILEGES ON typo3_db.* FROM 'typo3_app'@'localhost';
GRANT SELECT, INSERT, UPDATE, DELETE ON typo3_db.* TO 'typo3_app'@'localhost';
# Ensure direct SELECT on be_users is logged
SET GLOBAL general_log = 'ON';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
