Home

Description

The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

PUBLISHED Reserved 2026-06-01 | Published 2026-06-09 | Updated 2026-06-09 | Assigner TYPO3




LOW: 2.1CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 10.4.57
affected

11.0.0 (semver) before 11.5.51
affected

12.0.0 (semver) before 12.4.46
affected

13.0.0 (semver) before 13.4.31
affected

14.0.0 (semver) before 14.3.3
affected

Credits

Wolfgang Klinger reporter

Oliver Hader remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2026-016 vendor-advisory

github.com/...ommit/44c2fa9807944136218a0842e3051c0a379a002d (Git commit of main branch) patch

github.com/...ommit/150a983a5d687cedcfc33bbe9c335d9a13fd05e5 (Git commit of 13.4 branch) patch

cve.org (CVE-2026-49738)

nvd.nist.gov (CVE-2026-49738)

Download JSON