CVE-2026-47352: CWE-862 Missing Authorization in TYPO3 TYPO3 CMS
TYPO3 CMS contains a missing authorization vulnerability (CWE-862) where authenticated backend users can retrieve file metadata via Backend API routes without proper permission checks. This allows access to files outside their authorized file mounts or storages. The issue affects multiple TYPO3 CMS versions prior to specific fixed releases. The vulnerability has a medium severity with a CVSS score of 5. 3.
AI Analysis
Technical Summary
CVE-2026-47352 is a missing authorization vulnerability in TYPO3 CMS that allows authenticated backend users to access file metadata through several Backend API routes without adequate permission verification. This flaw enables users to access files beyond their assigned file mounts or storage areas. The vulnerability affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.51, 12.0.0 through 12.4.46, 13.0.0 through 13.4.31, and 14.0.0 through 14.3.3. No official remediation level or patch links are provided in the available data, and no known exploits in the wild have been reported.
Potential Impact
Authenticated backend users can bypass intended access controls to retrieve metadata of files outside their permitted file mounts or storages, potentially exposing sensitive file information. The impact is limited to users with backend access and does not allow privilege escalation or remote unauthenticated exploitation based on the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is indicated, administrators should monitor TYPO3 vendor communications for updates and consider restricting backend user permissions as a precaution until a patch is available.
CVE-2026-47352: CWE-862 Missing Authorization in TYPO3 TYPO3 CMS
Description
TYPO3 CMS contains a missing authorization vulnerability (CWE-862) where authenticated backend users can retrieve file metadata via Backend API routes without proper permission checks. This allows access to files outside their authorized file mounts or storages. The issue affects multiple TYPO3 CMS versions prior to specific fixed releases. The vulnerability has a medium severity with a CVSS score of 5. 3.
CVSS v4.0
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47352 is a missing authorization vulnerability in TYPO3 CMS that allows authenticated backend users to access file metadata through several Backend API routes without adequate permission verification. This flaw enables users to access files beyond their assigned file mounts or storage areas. The vulnerability affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.51, 12.0.0 through 12.4.46, 13.0.0 through 13.4.31, and 14.0.0 through 14.3.3. No official remediation level or patch links are provided in the available data, and no known exploits in the wild have been reported.
Potential Impact
Authenticated backend users can bypass intended access controls to retrieve metadata of files outside their permitted file mounts or storages, potentially exposing sensitive file information. The impact is limited to users with backend access and does not allow privilege escalation or remote unauthenticated exploitation based on the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is indicated, administrators should monitor TYPO3 vendor communications for updates and consider restricting backend user permissions as a precaution until a patch is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- TYPO3
- Date Reserved
- 2026-05-19T12:49:25.966Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a27f83d8dd33fbd8526d805
Added to database: 6/9/2026, 11:25:49 AM
Last enriched: 6/9/2026, 11:41:27 AM
Last updated: 6/9/2026, 2:45:05 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.