CVE-2026-47349: TYPO3 CMS has Broken Access Control in the Recycler Module
Problem
Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify.
Solution
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
Credits
TYPO3 CMS thanks Hyunseo Shin for reporting this issue, and TYPO3 security team member Elias Häußler for fixing it.
Resources
References
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2026-47349.yaml
- github.com/TYPO3/typo3/commit/92f08d8944f1aeccf506fcd323c260448c64d7c8
- github.com/TYPO3/typo3/commit/9f17a307cf774d63ab8291fc97c6b55653b4265a
- github.com/TYPO3/typo3/security/advisories/GHSA-f34x-rx2w-7pm3
- github.com/advisories/GHSA-f34x-rx2w-7pm3
- nvd.nist.gov/vuln/detail/CVE-2026-47349
- typo3.org/security/advisory/typo3-core-sa-2026-011
Code Behaviors & Features
Detect and mitigate CVE-2026-47349 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →