GHSA-jf56-v8jc-jcc5Low
TYPO3 CMS has Broken Access Control in its File Abstraction Layer
🔗 CVE IDs covered (1)
📋 Description
Problem
The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check.
Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
Credits
TYPO3 CMS thanks Wolfgang Klinger for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.
Resources
🎯 Affected products5
- composer/typo3/cms-core:< 10.4.57
- composer/typo3/cms-core:>= 11.0.0, < 11.5.51
- composer/typo3/cms-core:>= 12.0.0, < 12.4.46
- composer/typo3/cms-core:>= 13.0.0, < 13.4.31
- composer/typo3/cms-core:>= 14.0.0, < 14.3.3
🔗 References (7)
- https://github.com/TYPO3/typo3/security/advisories/GHSA-jf56-v8jc-jcc5
- https://nvd.nist.gov/vuln/detail/CVE-2026-49738
- https://github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5
- https://github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49738.yaml
- https://typo3.org/security/advisory/typo3-core-sa-2026-016
- https://github.com/advisories/GHSA-jf56-v8jc-jcc5