Contao discloses sensitive information in the front end search index
Description
Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Protected content elements in Contao CMS are indexed and exposed in the front end search, bypassing access restrictions.
Vulnerability
Overview
Contao, an open source CMS versions 4.9.14 through 4.13.55, 5.3.37, and 5.5.x prior to 5.6.1 contain an information disclosure vulnerability CVE-2025-57756 where protected content elements rendered as fragments are incorrectly indexed by the front end search. The root cause is a programming error in the getFrontendModule() and getContentElement() functions within core-bundle/contao/library/Contao, where the code checks the wrong object variable ($objModule or $objElement) for the protected property instead of the correct $objRow variable [3]. This oversight prevents the indexing-disabling logic from being applied to protected elements, making them publicly searchable.
Exploitation
An unauthenticated attacker can exploit this vulnerability by simply using the front end search functionality of a vulnerable Contao site. No special privileges or user interaction is required [4]. The attacker does not need to be authenticated, but the search results will reveal content that should only be accessible to authorized users. The attack vector is network-based, and the complexity is low.
Impact
Successful exploitation leads to unauthorized disclosure of protected content, such as restricted articles, modules, or other elements that were intended for specific user groups. This information disclosure can compromise the confidentiality of sensitive data managed within the CMS [1][4]. The integrity and availability of the system are not directly affected.
Mitigation
The vulnerability has been patched in Contao versions 4.13.56, 5.3.38, and 5.6.1 [1]. Users unable to update immediately can apply a workaround by disabling the front end search feature entirely [1]. The fix corrects the variable reference in the indexing logic, ensuring that protected elements are properly excluded from the search index [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.9.14, < 4.13.56 | 4.13.56 |
contao/contaoPackagist | >= 4.9.14, < 4.13.56 | 4.13.56 |
contao/core-bundlePackagist | >= 5.0.0-RC1, < 5.3.38 | 5.3.38 |
contao/core-bundlePackagist | >= 5.4.0-RC1, < 5.6.1 | 5.6.1 |
contao/contaoPackagist | >= 5.0.0-RC1, < 5.3.38 | 5.3.38 |
contao/contaoPackagist | >= 5.4.0-RC1, < 5.6.1 | 5.6.1 |
Affected products
2- Range: <4.13.56, <5.3.38, <5.6.1
- contao/contaov5Range: >= 4.9.14, < 4.13.56
Patches
1a03976c459b6Merge commit from fork
1 file changed · +4 −4
core-bundle/contao/library/Contao/Controller.php+4 −4 modified@@ -414,9 +414,9 @@ public static function getFrontendModule($intId, $strColumn='main') } // Disable indexing if protected - if ($objModule->protected && !preg_match('/^\s*<!-- indexer::stop/', $strBuffer)) + if ($objRow->protected && !preg_match('/^\s*<!-- indexer::stop/', $strBuffer)) { - $groups = StringUtil::deserialize($objModule->groups, true); + $groups = StringUtil::deserialize($objRow->groups, true); if (\count($groups) !== 1 || !\in_array(-1, array_map(\intval(...), $groups), true)) { @@ -629,9 +629,9 @@ public static function getContentElement($intId, $strColumn='main') } // Disable indexing if protected - if ($objElement->protected && !preg_match('/^\s*<!-- indexer::stop/', $strBuffer)) + if ($objRow->protected && !preg_match('/^\s*<!-- indexer::stop/', $strBuffer)) { - $groups = StringUtil::deserialize($objElement->groups, true); + $groups = StringUtil::deserialize($objRow->groups, true); if (\count($groups) !== 1 || !\in_array(-1, array_map(\intval(...), $groups), true)) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2xmj-8wmq-7475ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57756ghsaADVISORY
- contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-indexghsax_refsource_MISCWEB
- github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514ghsax_refsource_MISCWEB
- github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.