TYPO3-CORE-SA-2026-013: Broken Access Control in Media Module
It has been discovered that TYPO3 CMS is susceptible to broken access control.
- Component Type: TYPO3 CMS
- Subcomponent: Media Module (ext:filelist)
- Release Date: June 9, 2026
- Vulnerability Type: Broken Access Control
- Affected Versions: 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, 14.0.0-14.3.2
- Severity: High
- Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
- References: CVE-2026-49742, CWE-22, CWE-200
Problem Description
Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files.
Solution
Update to TYPO3 versions 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described.
Credits
Thanks to Hyunseo Shin for reporting this issue, and to TYPO3 security team member Torben Hansen for fixing it.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security-related code changes are tagged so you can easily look them up in our review system.