VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-47351

CVE-2026-47351

Description

TYPO3 CMS clipboard vulnerability allows backend users to access unauthorized records and files due to missing permission checks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 CMS clipboard vulnerability allows backend users to access unauthorized records and files due to missing permission checks.

Vulnerability

Backend users in TYPO3 CMS could insert arbitrary records and files into the clipboard without proper read permission checks. This allowed them to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2 [3].

Exploitation

An attacker with backend user privileges can exploit this vulnerability by adding records or files to the clipboard. The vulnerability lies in the lack of read permission checks during this process, allowing unauthorized information disclosure.

Impact

Successful exploitation allows an attacker to gain unauthorized access to information about records and files that they are not permitted to view. This constitutes a breach of confidentiality for sensitive data within the TYPO3 CMS.

Mitigation

Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS. The fix was released on June 9, 2026 [3].

References
  1. Broken Access Control in Clipboard

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • TYPO3/Typo3references2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 10.4.0-13.4.30, 14.0.0-14.3.2

Patches

2
932fbb9fcea2

[SECURITY] Check record/file access when adding records to clipboard

https://github.com/TYPO3/typo3Elias HäußlerJun 9, 2026via github-commit-search
commit
1 file changed · +28 13
  • typo3/sysext/backend/Classes/Clipboard/Clipboard.php+28 13 modified
    @@ -30,13 +30,15 @@
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Imaging\IconSize;
 use TYPO3\CMS\Core\Localization\LanguageService;
+use TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException;
 use TYPO3\CMS\Core\Resource\Exception\ResourceDoesNotExistException;
 use TYPO3\CMS\Core\Resource\File;
 use TYPO3\CMS\Core\Resource\Folder;
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
 use TYPO3\CMS\Core\Schema\Capability\TcaSchemaCapability;
 use TYPO3\CMS\Core\Schema\TcaSchemaFactory;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
@@ -662,21 +664,34 @@ public function cleanCurrent(): void
 
         foreach ($this->clipData[$this->current]['el'] as $reference => $value) {
             [$table, $uid] = explode('|', $reference);
-            if ($table !== '_FILE') {
-                if (!$value || !is_array(BackendUtility::getRecord($table, (int)$uid, 'uid'))) {
-                    unset($this->clipData[$this->current]['el'][$reference]);
-                    $this->changed = true;
-                }
-            } elseif (!$value) {
-                unset($this->clipData[$this->current]['el'][$reference]);
-                $this->changed = true;
-            } else {
+            $unset = false;
+
+            if (!$value) {
+                $unset = true;
+            } elseif ($table === '_FILE') {
                 try {
-                    $this->resourceFactory->retrieveFileOrFolderObject($value);
-                } catch (ResourceDoesNotExistException $e) {
-                    // The file has been deleted in the meantime, so just remove it silently
-                    unset($this->clipData[$this->current]['el'][$reference]);
+                    $fileOrFolder = $this->resourceFactory->retrieveFileOrFolderObject($value);
+
+                    if (($fileOrFolder instanceof File || $fileOrFolder instanceof Folder)
+                        && !$fileOrFolder->checkActionPermission('read')
+                    ) {
+                        $unset = true;
+                    }
+                } catch (InsufficientFolderAccessPermissionsException|ResourceDoesNotExistException) {
+                    // If either the file has been deleted in the meantime or the user lacks permissions
+                    // for the folder, we just remove the clipboard entry silently
+                    $unset = true;
                 }
+            } elseif (!is_array($row = BackendUtility::getRecord($table, (int)$uid, ['uid', 'pid']))
+                || !$this->getBackendUser()->check('tables_select', $table)
+                || !is_array($page = BackendUtility::getRecord('pages', (int)($table === 'pages' ? $row['uid'] : $row['pid'])))
+                || !$this->getBackendUser()->doesUserHaveAccess($page, Permission::PAGE_SHOW)
+            ) {
+                $unset = true;
+            }
+
+            if ($unset) {
+                $this->removeElement($reference);
             }
         }
     }
274070756334

[SECURITY] Check record/file access when adding records to clipboard

https://github.com/TYPO3/typo3Elias HäußlerJun 9, 2026via nvd-ref
commit
1 file changed · +28 13
  • typo3/sysext/backend/Classes/Clipboard/Clipboard.php+28 13 modified
    @@ -29,11 +29,13 @@
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Imaging\IconSize;
 use TYPO3\CMS\Core\Localization\LanguageService;
+use TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException;
 use TYPO3\CMS\Core\Resource\Exception\ResourceDoesNotExistException;
 use TYPO3\CMS\Core\Resource\File;
 use TYPO3\CMS\Core\Resource\Folder;
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
@@ -669,21 +671,34 @@ public function cleanCurrent(): void
 
         foreach ($this->clipData[$this->current]['el'] as $reference => $value) {
             [$table, $uid] = explode('|', $reference);
-            if ($table !== '_FILE') {
-                if (!$value || !is_array(BackendUtility::getRecord($table, (int)$uid, 'uid'))) {
-                    unset($this->clipData[$this->current]['el'][$reference]);
-                    $this->changed = true;
-                }
-            } elseif (!$value) {
-                unset($this->clipData[$this->current]['el'][$reference]);
-                $this->changed = true;
-            } else {
+            $unset = false;
+
+            if (!$value) {
+                $unset = true;
+            } elseif ($table === '_FILE') {
                 try {
-                    $this->resourceFactory->retrieveFileOrFolderObject($value);
-                } catch (ResourceDoesNotExistException $e) {
-                    // The file has been deleted in the meantime, so just remove it silently
-                    unset($this->clipData[$this->current]['el'][$reference]);
+                    $fileOrFolder = $this->resourceFactory->retrieveFileOrFolderObject($value);
+
+                    if (($fileOrFolder instanceof File || $fileOrFolder instanceof Folder)
+                        && !$fileOrFolder->checkActionPermission('read')
+                    ) {
+                        $unset = true;
+                    }
+                } catch (InsufficientFolderAccessPermissionsException|ResourceDoesNotExistException) {
+                    // If either the file has been deleted in the meantime or the user lacks permissions
+                    // for the folder, we just remove the clipboard entry silently
+                    $unset = true;
                 }
+            } elseif (!is_array($row = BackendUtility::getRecord($table, (int)$uid, 'uid,pid'))
+                || !$this->getBackendUser()->check('tables_select', $table)
+                || !is_array($page = BackendUtility::getRecord('pages', (int)($table === 'pages' ? $row['uid'] : $row['pid'])))
+                || !$this->getBackendUser()->doesUserHaveAccess($page, Permission::PAGE_SHOW)
+            ) {
+                $unset = true;
+            }
+
+            if ($unset) {
+                $this->removeElement($reference);
             }
         }
     }

Vulnerability mechanics

Root cause

"The clipboard functionality did not properly check user permissions before adding records or files."

Attack vector

A backend user with access to the clipboard functionality could insert arbitrary records and files. This was achieved by manipulating the references to records and files added to the clipboard. The vulnerability allowed these users to bypass intended access controls and view information they were not authorized to access [ref_id=1].

Affected code

The vulnerability lies within the `cleanCurrent()` method of the clipboard functionality. The changes in the patch modify this method to include permission checks for both database records and file system objects before they are retained in the clipboard data [ref_id=1].

What the fix does

The patch introduces checks to verify that the backend user has the necessary read permissions for records and files before they are added to the clipboard [patch_id=5349017]. Specifically, it now checks if the user has access to the table for records and if the file or folder has a 'read' permission for file references. This prevents unauthorized information disclosure by ensuring only accessible items can be stored in the clipboard [ref_id=1].

Preconditions

  • authThe attacker must be a backend user with access to the clipboard functionality.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

1