CVE-2026-49738: TYPO3 CMS has Broken Access Control in its File Abstraction Layer
Problem
The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check.
Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
Credits
TYPO3 CMS thanks Wolfgang Klinger for reporting this issue, and to TYPO3 core & security team member Oliver Hader for fixing it.
Resources
References
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-49738.yaml
- github.com/TYPO3/typo3/commit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5
- github.com/TYPO3/typo3/commit/44c2fa9807944136218a0842e3051c0a379a002d
- github.com/TYPO3/typo3/security/advisories/GHSA-jf56-v8jc-jcc5
- github.com/advisories/GHSA-jf56-v8jc-jcc5
- nvd.nist.gov/vuln/detail/CVE-2026-49738
- typo3.org/security/advisory/typo3-core-sa-2026-016
Code Behaviors & Features
Detect and mitigate CVE-2026-49738 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →