TYPO3, Cleartext Storage of Sensitive Information, CVE-2026-6553 (High)

Listen to this Post

The vulnerability exists in the backend user settings module (SetupModuleController). In TYPO3 CMS version 14.2.0, this module incorrectly merged sensitive entity data—such as passwords or email addresses—with standard user interface settings like theme or display preferences prior to persisting the data. This improper data handling caused any password changed via the affected module to be written in plaintext into the `uc` and `user_settings` fields of the `be_users` database table. An attacker with database access could directly read these cleartext credentials. A remote attacker might also chain this issue with other vulnerabilities, such as a SQL injection, to extract the credentials. This flaw was introduced solely in TYPO3 14.2.0. The issue was fixed in the subsequent Long-Term Support (LTS) release, version 14.3.0. Crucially, simply upgrading does not automatically remove the stored cleartext data. Administrators must run the dedicated User Settings Scrubbing wizard to sanitize the affected database fields and enforce password resets for impacted backend accounts.

dailycve form:

Platform: TYPO3 CMS
Version: 14.2.0
Vulnerability : Cleartext password storage
Severity: High
date: 2026-04-21

Prediction: Patch available 2026-04-21

Analytics under heading What Undercode Say:

Identify the TYPO3 version to verify exposure.
grep -E "'version' => '14.[0-9].[0-9]'" typo3/sysext/core/Configuration/DefaultConfiguration.php
Check `be_users` table for cleartext passwords.
mysql -u [bash] -p -D [bash] -e "SELECT uid, username, uc, user_settings FROM be_users WHERE uc LIKE '%password%' OR user_settings LIKE '%password%';"

Exploit:

An attacker requires prior access to the TYPO3 database (e.g., via a SQL injection in another component) or local read access to the database storage. Once that access is obtained, the attacker can execute SQL queries against the `be_users` table to retrieve the contents of the `uc` and `user_settings` columns, which contain the cleartext credentials of backend users.

Protection from this CVE

Update your TYPO3 CMS to version 14.3.0 LTS or higher. After the update, execute all User Settings upgrade wizards in the TYPO3 Install Tool, paying special attention to the “User Settings Scrubbing” wizard. Finally, force a password reset for every backend user to ensure any previously exposed credentials are invalidated.

Impact:

A successful exploit allows an attacker to obtain valid backend login credentials in plaintext. This can lead to a complete compromise of the TYPO3 CMS instance, granting the attacker the ability to modify content, elevate privileges, and potentially use the CMS as a pivot point to attack the underlying server or internal network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top