TYPO3 Has Broken Authentication in Backend MFA
Description
TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, the multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcement of access restrictions on all backend routes. Successful exploitation requires valid backend user credentials, as MFA can only be bypassed after successful authentication. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 backend MFA can be bypassed due to insufficient route access checks, requiring valid credentials.
Vulnerability
Description
The multifactor authentication (MFA) dialog presented during TYPO3 backend login can be bypassed because access restrictions on all backend routes are not sufficiently enforced. Specifically, when MFA is required, the code incorrectly allows access to routes that require a logged-in backend user without completing MFA [1][3]. The fix corrects a logical negation error in the condition that checks whether the requested route demands authenticated user status [4].
Exploitation
Successful exploitation requires valid backend user credentials, as the MFA bypass only occurs after the first authentication step. An attacker with valid credentials can access backend routes without completing the second factor, effectively bypassing MFA [1][3].
Impact
By bypassing MFA, an attacker gains full access to the TYPO3 backend with the privileges of the compromised user account. This can lead to unauthorized data access, content manipulation, or further compromise of the system [3].
Mitigation
The vulnerability affects TYPO3 versions 12.0.0 to 12.4.30 and 13.0.0 to 13.4.11. Users must update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to resolve the issue [1][3]. No workarounds are mentioned; upgrading is the only recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-backendPackagist | >= 12.0.0, < 12.4.31 | 12.4.31 |
typo3/cms-backendPackagist | >= 13.0.0, < 13.4.12 | 13.4.12 |
Affected products
3Patches
1034f58902995[SECURITY] Prevent MFA bypass for backend login
1 file changed · +1 −1
Classes/Middleware/BackendUserAuthenticator.php+1 −1 modified@@ -100,7 +100,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface } catch (MfaRequiredException $mfaRequiredException) { // If MFA is required and we are not already on the "auth_mfa" // route, force the user to it for further authentication. - if (!$mfaRequested && !$this->isLoggedInBackendUserRequired($route)) { + if (!$mfaRequested && $this->isLoggedInBackendUserRequired($route)) { return $this->redirectToMfaEndpoint( 'auth_mfa', $GLOBALS['BE_USER'],
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-744g-7qm9-hjh9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47941ghsaADVISORY
- github.com/TYPO3-CMS/backend/commit/034f589029952084771c5f98d42ed0f69f9a7eadghsaWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-744g-7qm9-hjh9ghsax_refsource_CONFIRMWEB
- typo3.org/security/advisory/typo3-core-sa-2025-015ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.