DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-47349: CVE-2026-47349: Missing Authorization in TYPO3 CMS DataHandler Record Restoration

#security #cve #cybersecurity

CVE-2026-47349: Missing Authorization in TYPO3 CMS DataHandler Record Restoration

Vulnerability ID: CVE-2026-47349
CVSS Score: 5.3
Published: 2026-06-12

An authenticated backend user with access to the Recycler module in TYPO3 CMS can bypass write restrictions and restore soft-deleted records on pages or database tables they are not authorized to modify. This vulnerability resides in the core DataHandler class due to missing permission checks during 'undelete' operations.

TL;DR

Unprivileged TYPO3 backend users can exploit the Recycler module to restore and modify unauthorized database records across page boundaries.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862: Missing Authorization
  • Attack Vector: Network (AV:N)
  • CVSS v4.0: 5.3 (Medium)
  • EPSS Score: 0.00414 (32.77th percentile)
  • Impact: Privilege Escalation / Unauthorized Write Access
  • Exploit Status: Proof-of-Concept Available
  • KEV Status: Not Listed

Affected Systems

  • TYPO3 CMS 10.0.0 to 10.4.56
  • TYPO3 CMS 11.0.0 to 11.5.50
  • TYPO3 CMS 12.0.0 to 12.4.45
  • TYPO3 CMS 13.0.0 to 13.4.30
  • TYPO3 CMS 14.0.0 to 14.3.2
  • TYPO3 CMS: >= 10.0.0 < 10.4.57 (Fixed in: 10.4.57 ELTS)
  • TYPO3 CMS: >= 11.0.0 < 11.5.51 (Fixed in: 11.5.51 ELTS)
  • TYPO3 CMS: >= 12.0.0 < 12.4.46 (Fixed in: 12.4.46 ELTS)
  • TYPO3 CMS: >= 13.0.0 < 13.4.31 (Fixed in: 13.4.31 LTS)
  • TYPO3 CMS: >= 14.0.0 < 14.3.3 (Fixed in: 14.3.3 LTS)

Code Analysis

Commit: 92f08d8

Fix missing table and page check in DataHandler undelete

Commit: 9f17a30

Enforce modify list and insertion checks in undeleteRecord flow

Mitigation Strategies

  • Upgrade TYPO3 CMS to a patched version (10.4.57, 11.5.51, 12.4.46, 13.4.31, 14.3.3 or higher).
  • Remove access to the Recycler module (ext:recycler) for non-administrative backend user groups.
  • Implement database logging audits to monitor for unauthorized database restoration commands.

Remediation Steps:

  1. Identify the current active TYPO3 branch (10, 11, 12, 13, or 14).
  2. Apply the corresponding security update using Composer or the official source archives.
  3. Verify user group permissions to ensure low-privileged editors only possess access to designated database tables and pages.
  4. Review the TYPO3 System Log database table (sys_log) for occurrences of USER_ERROR entries regarding undelete record attempts.

References

Read the full report for CVE-2026-47349 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)