Information Disclosure in Workspaces Module
Description
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in TYPO3 CMS Workspace Module allows backend users to access sensitive data via an unprotected AJAX route.
Description
The Workspace Module of TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 lacks proper authorization checks on a backend AJAX route [1][4]. This flaw permits any authenticated backend user, regardless of their permissions on the target table, to directly invoke the route and retrieve sensitive data from the database [4]. The commit addressing the issue includes additional permission verification to restrict access only to authorized users [2].
Exploitation
Exploitation requires a valid TYPO3 backend user account with access to the workspaces module [1][4]. The attacker can send a crafted AJAX request to the vulnerable endpoint, without needing specific privileges on the database table being queried [4]. The attack vector is network-based and low complexity, as described by the suggested CVSS vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N [4].
Impact
Successful exploitation leads to information disclosure, as an unauthorized backend user can read arbitrary records from database tables [4]. According to the advisory, the vulnerability allows the caller to retrieve sensitive data without permission checks, constituting a high-severity issue [4]. No further impact on integrity or availability is expected.
Mitigation
TYPO3 has released security updates that fix the problem: versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, and 13.4.18 LTS [4]. Users should upgrade to these versions immediately. No workaround is mentioned; applying the patch is the recommended course of action [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-workspacesPackagist | >= 9.0.0, < 12.4.37 | 12.4.37 |
typo3/cms-workspacesPackagist | >= 10.0.0, < 12.4.37 | 12.4.37 |
typo3/cms-workspacesPackagist | >= 11.0.0, < 12.4.37 | 12.4.37 |
typo3/cms-workspacesPackagist | >= 12.0.0, < 12.4.37 | 12.4.37 |
typo3/cms-workspacesPackagist | >= 13.0.0, < 13.4.18 | 13.4.18 |
Affected products
2- TYPO3/TYPO3 CMSv5Range: 9.0.0
Patches
1114c189c7b30[SECURITY] Avoid displaying version details to unauthorized users
2 files changed · +90 −2
Classes/Service/GridDataService.php+15 −2 modified@@ -117,7 +117,15 @@ public function getRowDetails(array $stages, \stdClass $parameter): array { $backendUser = $this->getBackendUser(); $table = $parameter->table; - $schema = $this->tcaSchemaFactory->get($table); + $schema = $this->tcaSchemaFactory->has($table) ? $this->tcaSchemaFactory->get($table) : null; + + if ($schema === null + || !$schema->isWorkspaceAware() + || !$backendUser->check('tables_modify', $table) + ) { + throw new \RuntimeException(sprintf('Invalid access to table "%s"', $table), 1756882012); + } + $diffReturnArray = []; $liveReturnArray = []; $plainLiveRecord = $liveRecord = (array)BackendUtility::getRecord($table, $parameter->t3ver_oid); @@ -176,7 +184,12 @@ public function getRowDetails(array $stages, \stdClass $parameter): array $configuration = $fieldTypeInformation->getConfiguration(); // check for exclude fields $isFieldExcluded = $fieldTypeInformation->supportsAccessControl(); - if ($backendUser->isAdmin() || !$isFieldExcluded || GeneralUtility::inList($backendUser->groupData['non_exclude_fields'], $table . ':' . $fieldName)) { + if ($backendUser->isAdmin() + || ( + $fieldTypeInformation->getDisplayConditions() !== 'HIDE_FOR_NON_ADMINS' + && (!$isFieldExcluded || GeneralUtility::inList($backendUser->groupData['non_exclude_fields'], $table . ':' . $fieldName)) + ) + ) { $granularity = $fieldTypeInformation->isType(TableColumnType::FLEX) ? DiffGranularity::CHARACTER : DiffGranularity::WORD; // call diff class only if there is a difference if ($fieldTypeInformation->isType(TableColumnType::FILE)) {
Tests/Functional/Service/GridDataServiceTest.php+75 −0 added@@ -0,0 +1,75 @@ +<?php + +declare(strict_types=1); + +/* + * This file is part of the TYPO3 CMS project. + * + * It is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License, either version 2 + * of the License, or any later version. + * + * For the full copyright and license information, please read the + * LICENSE.txt file that was distributed with this source code. + * + * The TYPO3 project - inspiring people to share! + */ + +namespace TYPO3\CMS\Workspaces\Tests\Functional\Service; + +use PHPUnit\Framework\Attributes\DataProvider; +use PHPUnit\Framework\Attributes\Test; +use TYPO3\CMS\Core\Authentication\BackendUserAuthentication; +use TYPO3\CMS\Core\Localization\LanguageServiceFactory; +use TYPO3\CMS\Workspaces\Domain\Repository\WorkspaceRepository; +use TYPO3\CMS\Workspaces\Domain\Repository\WorkspaceStageRepository; +use TYPO3\CMS\Workspaces\Service\GridDataService; +use TYPO3\CMS\Workspaces\Service\StagesService; +use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase; + +final class GridDataServiceTest extends FunctionalTestCase +{ + protected array $coreExtensionsToLoad = ['workspaces']; + private ?BackendUserAuthentication $backendUser = null; + + protected function setUp(): void + { + parent::setUp(); + $this->importCSVDataSet(__DIR__ . '/../Fixtures/be_users.csv'); + $this->importCSVDataSet(__DIR__ . '/../Fixtures/sys_workspace.csv'); + + $this->backendUser = $this->setUpBackendUser(1); + $this->backendUser->workspace = 91; + $GLOBALS['LANG'] = $this->get(LanguageServiceFactory::class)->createFromUserPreferences($this->backendUser); + } + + public static function getRowDetailsThrowsExceptionDataProvider(): \Generator + { + $editStage = StagesService::STAGE_EDIT_ID; + yield 'non-existing table' => ['table' => 'does-not-exist', 'liveId' => 0, 'versionId' => 0, 'stage' => $editStage]; + yield 'workspace-unaware table' => ['table' => 'sys_note', 'liveId' => 0, 'versionId' => 0, 'stage' => $editStage]; + } + + #[Test] + #[DataProvider('getRowDetailsThrowsExceptionDataProvider')] + public function getRowDetailsThrowsException(string $table, int $liveId, int $versionId, int $stage): void + { + $workspace = $this->get(WorkspaceRepository::class)->findByUid($this->backendUser->workspace); + $stages = $this->get(WorkspaceStageRepository::class)->findAllStagesByWorkspace( + $this->backendUser, + $workspace + ); + + $instruction = new \stdClass(); + $instruction->table = $table; + $instruction->t3ver_oid = $liveId; + $instruction->uid = $versionId; + $instruction->stage = $stage; + + $subject = $this->get(GridDataService::class); + + $this->expectException(\RuntimeException::class); + $this->expectExceptionCode(1756882012); + $subject->getRowDetails($stages, $instruction); + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-w2pf-7q5w-2cgwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59018ghsaADVISORY
- typo3.org/security/advisory/typo3-core-sa-2025-022ghsavendor-advisoryWEB
- github.com/TYPO3-CMS/workspaces/commit/114c189c7b30181cee96d176e31f212b02d14d4dghsaWEB
News mentions
0No linked articles in our index yet.