DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-6553: CVE-2026-6553: Cleartext Password Exposure in TYPO3 CMS Backend User Settings

#security #cve #cybersecurity

CVE-2026-6553: Cleartext Password Exposure in TYPO3 CMS Backend User Settings

Vulnerability ID: CVE-2026-6553
CVSS Score: 7.3
Published: 2026-04-24

CVE-2026-6553 is a high-severity sensitive data exposure vulnerability (CWE-312) in TYPO3 CMS version 14.2.0. The vulnerability allows plaintext backend user passwords to be stored within serialized configuration fields in the database. The flaw occurs when users update their profile via the 'User Settings' module, exposing credentials to any actor with database read access.

TL;DR

TYPO3 CMS version 14.2.0 fails to partition sensitive database fields from user preferences during backend profile updates, writing plaintext passwords to serialized database columns. Immediate patching and manual database scrubbing are required.

Technical Details

  • CWE ID: CWE-312
  • Attack Vector: Network (Requires prior DB access)
  • CVSS 4.0 Score: 7.3
  • EPSS Score: 0.00029
  • Impact: Information Disclosure / Credential Theft
  • Exploit Status: None
  • KEV Status: Not Listed

Affected Systems

  • TYPO3 CMS Backend Component
  • TYPO3 Relational Database (be_users table)
  • TYPO3 CMS: = 14.2.0 (Fixed in: 14.3.0)

Code Analysis

Commit: 9a6e913

Fix: Implement data partitioning and field blacklisting for backend user settings to prevent cleartext credential leakage

Mitigation Strategies

  • Upgrade TYPO3 CMS to version 14.3.0 to prevent future cleartext credential storage.
  • Execute the User Settings Scrubbing upgrade wizard to remove existing cleartext data from the database.
  • Force a global password reset for all backend users who accessed the system during the 14.2.0 deployment window.

Remediation Steps:

  1. Download and install TYPO3 CMS version 14.3.0 via Composer or manual package update.
  2. Navigate to the TYPO3 backend Admin Tools -> Upgrade -> Upgrade Wizard.
  3. Locate and execute the 'User Settings Scrubbing' migration script.
  4. Verify the removal of sensitive data by querying the be_users table for the string 'password' within the uc and user_settings columns.
  5. Issue a mandatory password reset directive for all administrative and standard backend accounts.

References

Read the full report for CVE-2026-6553 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)