Missing check for expiration time of password reset token in TYPO3
Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the expiration time of a password reset link for TYPO3 backend users has never been evaluated. As a result, a password reset link could be used to perform a password reset even if the default expiry time of two hours has been exceeded. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Password reset links for TYPO3 backend users never expired, allowing an attacker with a valid link to reset passwords indefinitely.
Vulnerability
A flaw in TYPO3's password reset mechanism for backend users was discovered. The expiration time of a password reset link has never been evaluated, meaning that even after the default expiry time of two hours has passed, the link remains valid. This oversight allows an attacker who has obtained a previously valid password reset link to use it at any time to initiate a password reset, without any time constraint.
Exploitation
To exploit this vulnerability, an attacker must first have access to a valid password reset link. This could be achieved through interception of email communications, access to a user's inbox, or other means of obtaining the reset link. No additional authentication or privileges are required once the link is obtained. The link can then be used to perform a password reset, even long after the intended expiry period has elapsed.
Impact
If successfully exploited, an attacker can change the password of a targeted TYPO3 backend user, gaining unauthorized access to the backend administration interface. This could lead to full compromise of the TYPO3 instance, including the ability to modify content, user accounts, and potentially execute arbitrary code through extension management or other administrative functions.
Mitigation
The vulnerability is fixed in TYPO3 versions 10.4.32 and 11.5.16 [1]. Users should upgrade immediately. There are no known workarounds [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 10.4.0, < 10.4.32 | 10.4.32 |
typo3/cms-corePackagist | >= 11.0.0, < 11.5.16 | 11.5.16 |
typo3/cmsPackagist | >= 10.4.0, < 10.4.32 | 10.4.32 |
typo3/cmsPackagist | >= 11.0.0, < 11.5.16 | 11.5.16 |
Affected products
4- osv-coords3 versions
>= 10.0.0, < 10.4.31+ 2 more
- (no CPE)range: >= 10.0.0, < 10.4.31
- (no CPE)range: >= 10.4.0, < 10.4.32
- (no CPE)range: >= 10.4.0, < 10.4.32
Patches
256af2bd3a432[SECURITY] Respect expiration time of password reset token
1 file changed · +5 −0
typo3/sysext/backend/Classes/Authentication/PasswordReset.php+5 −0 modified@@ -278,6 +278,11 @@ public function isValidResetTokenFromRequest(ServerRequestInterface $request): b */ protected function findValidUserForToken(string $token, string $identity, int $expirationTimestamp): ?array { + // Early return if token expired + if ($expirationTimestamp < time()) { + return null; + } + $user = null; // Find the token in the database $queryBuilder = $this->getPreparedQueryBuilder();
00b52a443b21[SECURITY] Respect expiration time of password reset token
1 file changed · +5 −0
typo3/sysext/backend/Classes/Authentication/PasswordReset.php+5 −0 modified@@ -278,6 +278,11 @@ public function isValidResetTokenFromRequest(ServerRequestInterface $request): b */ protected function findValidUserForToken(string $token, string $identity, int $expirationTimestamp): ?array { + // Early return if token expired + if ($expirationTimestamp < time()) { + return null; + } + $user = null; // Find the token in the database $queryBuilder = $this->getPreparedQueryBuilder();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-5959-4x58-r8c2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36106ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36106.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36106.yamlghsaWEB
- github.com/TYPO3/typo3/commit/00b52a443b21baaaab35f8606dbb0ce427261bb5ghsaWEB
- github.com/TYPO3/typo3/commit/56af2bd3a432156c30af9be71c9d6f7ef3a6159aghsax_refsource_MISCWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-5959-4x58-r8c2ghsax_refsource_CONFIRMWEB
- typo3.org/security/advisory/typo3-core-sa-2022-008ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.