TYPO3 CMS File Meta Disclosure via Backend API < 10.4.57
CVE-2026-47352 Published on June 9, 2026
TYPO3 CMS - Broken Access Control in Backend API
Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-47352 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-47352
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
TYPO3 CMS:- Before 10.4.57 is affected.
- Version 11.0.0 and below 11.5.51 is affected.
- Version 12.0.0 and below 12.4.46 is affected.
- Version 13.0.0 and below 13.4.31 is affected.
- Version 14.0.0 and below 14.3.3 is affected.