CVE-2026-47343
Description
Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2.
Affected products
2Patches
2504e72470ff7[SECURITY] Deny destructive write actions on mount folders
1 file changed · +30 −0
typo3/sysext/core/Classes/Resource/ResourceStorage.php+30 −0 modified@@ -542,6 +542,18 @@ public function getFileMounts(): array return $this->fileMounts; } + public function isFileMountFolder(Folder $folder): bool + { + foreach ($this->fileMounts as $mount) { + $rootLevelFolder = $mount['folder'] ?? null; + if ($rootLevelFolder instanceof Folder && $rootLevelFolder->getCombinedIdentifier() === $folder->getCombinedIdentifier()) { + return true; + } + } + + return false; + } + /** * Checks if the given subject is within one of the registered user * file mounts. If not, working with the file is not permitted for the user. @@ -744,9 +756,27 @@ public function checkFolderActionPermission(string $action, ?FolderInterface $fo if ($isWriteCheck && !$folderPermissions['w']) { return false; } + + // Check 5: File mount check + if (!$this->isAllowedActionOnMountFolder($action, $folder)) { + return false; + } + return true; } + protected function isAllowedActionOnMountFolder(string $action, FolderInterface $folder): bool + { + $deniedMountActions = ['move', 'delete', 'rename']; + + // Early return if the given folder is not a mount folder + if (!$folder instanceof Folder || !$this->isFileMountFolder($folder)) { + return true; + } + + return !in_array($action, $deniedMountActions, true); + } + /** * If the fileName is given, checks it against the * TYPO3_CONF_VARS[BE][fileDenyPattern] + and if the file extension is allowed.
ac4125aef8b9[SECURITY] Deny destructive write actions on mount folders
1 file changed · +30 −0
typo3/sysext/core/Classes/Resource/ResourceStorage.php+30 −0 modified@@ -615,6 +615,18 @@ public function getFileMounts() return $this->fileMounts; } + public function isFileMountFolder(Folder $folder): bool + { + foreach ($this->fileMounts as $mount) { + $rootLevelFolder = $mount['folder'] ?? null; + if ($rootLevelFolder instanceof Folder && $rootLevelFolder->getCombinedIdentifier() === $folder->getCombinedIdentifier()) { + return true; + } + } + + return false; + } + /** * Checks if the given subject is within one of the registered user * file mounts. If not, working with the file is not permitted for the user. @@ -830,9 +842,27 @@ public function checkFolderActionPermission($action, ?Folder $folder = null) if ($isWriteCheck && !$folderPermissions['w']) { return false; } + + // Check 5: File mount check + if (!$this->isAllowedActionOnMountFolder($action, $folder)) { + return false; + } + return true; } + protected function isAllowedActionOnMountFolder(string $action, FolderInterface $folder): bool + { + $deniedMountActions = ['move', 'delete', 'rename']; + + // Early return if the given folder is not a mount folder + if (!$folder instanceof Folder || !$this->isFileMountFolder($folder)) { + return true; + } + + return !in_array($action, $deniedMountActions, true); + } + /** * If the fileName is given, checks it against the * TYPO3_CONF_VARS[BE][fileDenyPattern] + and if the file extension is allowed.
Vulnerability mechanics
Root cause
"Missing authorization checks allowed non-privileged users to perform write operations on root file mount folders."
Attack vector
Non-privileged backend users with file mount access could exploit this vulnerability by attempting to perform write operations such as moving, deleting, or renaming files within folders that represent the root of an active file mount. The vulnerability stems from a lack of proper authorization restrictions that would normally prevent such actions on these critical directories. This allowed unauthorized modifications to the file system structure [ref_id=1].
Affected code
The vulnerability exists in the `ResourceOriginal` class within the TYPO3 core system extension. Specifically, the `checkFolderActionPermission` method was modified to include new checks for file mount folders. The changes involve adding the `isFileMountFolder` and `isAllowedActionOnMountFolder` methods to enforce restrictions on write operations within these designated directories [ref_id=1, ref_id=2].
What the fix does
The patch introduces a new check within the `checkFolderActionPermission` method to verify if the requested action is permitted on a file mount folder. It adds a helper function `isFileMountFolder` to identify mount point directories and `isAllowedActionOnMountFolder` to check if the action is in a list of denied operations for these specific folders. This ensures that destructive write actions like 'move', 'delete', and 'rename' are explicitly denied on root file mount folders, thereby closing the vulnerability [patch_id=5349034, patch_id=5349035].
Preconditions
- authThe attacker must be a non-privileged backend user.
- configThe user must have file mount access configured.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- TYPO3 CMS: Thirteen Backend Vulnerabilities Disclosed on June 9, 2026Vypr Intelligence · Jun 9, 2026