HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49742Published Modified CNA TYPO3

CVE-2026-49742: TYPO3 CMS - Broken Access Control in Media Module

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
11.5.51
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Broken access control in the TYPO3 CMS Media Module allows authenticated backend users to read files outside their intended scope. The vulnerability is reachable over the network and requires only a low-privilege account with file download permissions. Successful exploitation lets an attacker download arbitrary files relative to the server's document root, including sensitive files such as application logs. Patched-image rebuilds at versions 11.5.51, 12.4.46, 13.4.31, and 14.3.3 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-49742 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed publication. Coverage extends to custom-built images that bundle TYPO3 CMS, not only images pulled from public registries.

Available
Triage

HarborGuard is capable of surfacing this CVE with its CVSS v4.0 score of 7.1 (HIGH), weighted against each environment's compliance policy to reflect actual exposure. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Patched-image rebuilds at TYPO3 versions 11.5.51, 12.4.46, 13.4.31, and 14.3.3 become available in HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, the pipeline rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The TYPO3 backend Media Module is exposed over the network, so an attacker must be able to reach the application's HTTP interface to trigger the download.

  • AuthenticationRequired

    A low-privilege backend account with file download permissions is sufficient; no administrative role is needed.

  • Victim interactionNot required

    The attacker can send the malicious file download request directly with no action required from any other user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors need to align.

Blast Radius

  • Reads arbitrary files relative to the server's document root via the FAL fallback storage, including application log files that may contain session tokens, stack traces, or internal path information.
  • Reads configuration-adjacent files (such as .env or settings files) if they reside within the document root traversal scope, potentially exposing database credentials or API keys.
  • Exposes user-activity and error logs that can be used to map internal application behavior and enumerate other attack surfaces.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49742 activates automatically as images are scanned against the latest vulnerability feeds, including custom images bundling TYPO3 CMS. For environments running any affected version across the 11.x, 12.x, 13.x, or 14.x branches, a patched-image rebuild targeting the appropriate fix version (11.5.51, 12.4.46, 13.4.31, or 14.3.3) is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the designated team inbox with CVSS scoring and fix-version details included. As an immediate compensating control, restricting backend user file download permissions to explicitly trusted accounts via TYPO3's access-control configuration reduces exposure while a patched image is staged for deployment.

See how HarborGuard automates this

Fix available

11.5.5112.4.4613.4.3114.3.3
Patch commits
Affected packages
  • TYPO3 / TYPO3 CMS
    < 11.5.51 (from 11.0.0) · < 12.4.46 (from 12.0.0) · < 13.4.31 (from 13.0.0) · < 14.3.3 (from 14.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References