TYPO3-CORE-SA-2026-001: Broken Access Control in Edit Document Controller

Component Type: TYPO3 CMS
Subcomponent: Edit Document Controller (ext:backend)
Release Date: January 13, 2026
Vulnerability Type: Broken Access Control
Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1
Severity: Medium
Suggested CVSS: &nbsp; <a href="https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator?vector=AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" target="_blank" rel="noreferrer"> CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
References: &nbsp; <a href="https://www.cve.org/CVERecord?id=CVE-2025-59020" target="_blank" rel="noreferrer"> CVE-2025-59020 ,&nbsp; <a href="https://cwe.mitre.org/data/definitions/863.html" target="_blank" rel="noreferrer"> CWE-863

defVals

Component Type: TYPO3 CMS
Subcomponent: Edit Document Controller (ext:backend)
Release Date: January 13, 2026
Vulnerability Type: Broken Access Control
Affected Versions: 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, 14.0.0-14.0.1
Severity: Medium
Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
References: CVE-2025-59020, CWE-863

Problem Description
By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields.
Solution
Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.
Credits
Thanks to Daniel Windloff for reporting this issue, and to TYPO3 core & security team member Benjamin Franzke for fixing it.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security-related code changes are tagged so you can easily look them up in our review system.