CVE-2026-49741 - TYPO3 form framework privilege escalation and SQL injection

CVE-2026-49741 / GHSA-jh32-v29g-68pq covers a TYPO3 Form Framework flaw in which backend users with write access to the form_definition table could create, update, or delete form definitions through DataHandler, bypassing the Form Framework’s persistence validation and permission checks. The bypass re-opened attack paths previously addressed in TYPO3-CORE-SA-2018-003, including privilege escalation and SQL injection through crafted form configuration.

This is not a generic “someone can edit a table” issue. The risky shape is that direct table writes bypass the framework layer that was supposed to normalize and validate form definitions. Fixing it means both upgrading TYPO3 and confirming the repository does not keep custom admin tooling, migrations, or extensions that still write directly to the vulnerable table path.

When to use it

  • A TYPO3 backend resolves affected typo3/cms-core or typo3/cms-form versions.
  • Custom extensions, migrations, importers, scripts, or admin tools touch form_definition or DataHandler form persistence paths.
  • Delegated backend users can edit forms, table records, or framework-managed configuration.
  • You need a bounded PR or triage note that upgrades TYPO3 and proves custom form persistence still goes through validation.

Inputs

  • Composer manifests and locks, TYPO3 extension manifests, Dockerfiles, deployment manifests, SBOMs, and generated dependency reports.
  • Owned extensions, scripts, migrations, importers, admin tools, backend role definitions, and form persistence code.
  • Available Composer/TYPO3 tests, extension tests, config render, container build, dependency scan, and safe role-check commands.

Affected versions

  • Vulnerable: typo3/cms-core >= 14.0.0, < 14.3.3
  • Also affected: typo3/cms-form >= 14.0.0, < 14.3.3
  • Fixed: 14.3.3+
  • Affected surface: TYPO3 backends where non-admin or delegated backend users can write form records, extensions that manipulate form_definition directly, and administrative tooling that bypasses framework validation

Indicator-of-exposure

  • The repository resolves typo3/cms-core or typo3/cms-form in the affected range.
  • Extensions, scripts, migrations, importers, or admin tools directly write to form_definition.
  • Backend roles grant write access broad enough to modify form records or invoke DataHandler paths touching form definitions.
  • The deployment exposes form-building capabilities to delegated backend users rather than only tightly controlled administrators.

Quick checks:

rg -n "typo3/cms-core|typo3/cms-form|form_definition|DataHandler|Form Framework|TYPO3-CORE-SA-2018-003" .
composer show typo3/cms-core typo3/cms-form
rg -n "form_definition|DataHandler|TYPO3\\\\CMS\\\\Core\\\\DataHandling|FormPersistenceManager|backend user|BE user" packages extensions config scripts

Windows:

rg -n "typo3/cms-core|typo3/cms-form|form_definition|DataHandler|Form Framework|TYPO3-CORE-SA-2018-003" .
composer show typo3/cms-core typo3/cms-form
rg -n "form_definition|DataHandler|TYPO3\\\\CMS\\\\Core\\\\DataHandling|FormPersistenceManager|backend user|BE user" packages extensions config scripts

Do not validate exposure by injecting malicious form payloads or SQL fragments into a live backend.

Remediation strategy

  • Upgrade typo3/cms-core and typo3/cms-form to 14.3.3+ everywhere the repository controls them.
  • Remove direct writes to form_definition from custom extensions, scripts, importers, or maintenance tooling. Route edits through the validated Form Framework APIs only.
  • Re-review backend role assignments for delegated form editors and remove unnecessary table-write privileges.
  • Add tests or code review gates around extensions that touch form persistence so future changes do not bypass framework validation.
  • Review whether any prior local mitigations for TYPO3-CORE-SA-2018-003 should remain even after the upgrade.

The prompt

You are remediating CVE-2026-49741 / GHSA-jh32-v29g-68pq, a high-severity TYPO3
Form Framework privilege-escalation and SQL-injection issue caused by direct
`DataHandler` access to `form_definition` records bypassing framework
validation. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades TYPO3, removes direct
  `form_definition` write paths, tightens backend permissions, adds safe
  verification, and documents operator follow-up, or
- TRIAGE.md if this repository does not control an affected TYPO3 dependency,
  extension, deployment, or mitigation path.

## Rules

- Scope only CVE-2026-49741 / GHSA-jh32-v29g-68pq and directly related TYPO3
  form persistence, `DataHandler`, backend role, and extension code paths.
- Treat backend credentials, database content, form definitions, customer data,
  and logs as sensitive.
- Do not inject malicious form definitions or SQL payloads into a live TYPO3
  environment.
- Do not broaden backend permissions or keep direct table writes because they
  are convenient for local tooling.
- Do not auto-merge.

## Steps

1. Inventory every controlled TYPO3 reference in `composer.json`,
   `composer.lock`, extension manifests, Dockerfiles, deployment manifests, and
   operator docs.
2. Resolve versions. Any `typo3/cms-core` or `typo3/cms-form` on `>= 14.0.0,
   < 14.3.3` is affected.
3. Search owned extensions, scripts, migrations, and tooling for
   `form_definition`, `DataHandler`, or direct database writes related to forms.
4. Identify backend role and permission assumptions around form editing, table
   writes, and delegated content administration.
5. If the repository does not control an affected TYPO3 backend or only
   contains unrelated client code, stop with `TRIAGE.md` naming the owner and
   required version `14.3.3+`.
6. Upgrade all controlled TYPO3 dependencies to `14.3.3+` and regenerate the
   lockfile, image metadata, dependency reports, and SBOMs.
7. Remove direct `form_definition` write paths from owned code. Replace them
   with the framework-supported persistence and validation flow.
8. Tighten backend permissions so delegated users only have the minimum needed
   form-management access and no unnecessary raw table-write capability.
9. Add safe tests or policy checks:
   - resolved package versions are `14.3.3+`;
   - owned extensions no longer write directly to `form_definition`;
   - backend-role tests prove unauthorized users cannot bypass form-validation
     paths;
   - dependency and extension scans reflect the upgraded version.
10. Add a PR body section named `CVE-2026-49741 operator actions` that states:
    - TYPO3 versions before and after;
    - whether custom code touched `form_definition` directly;
    - which backend roles were reviewed or changed;
    - whether any historical mitigations from TYPO3-CORE-SA-2018-003 remain
      relevant;
    - which logs, admin actions, or database history operators should review.
11. Run relevant validation: Composer install, TYPO3 tests, extension tests,
    config rendering, container build, dependency scans, and safe role or route
    checks that do not inject exploit payloads.
12. Use PR title:
    `fix(sec): remediate TYPO3 form persistence bypass`.

## Stop conditions

- No controlled TYPO3 backend or extension exists.
- The repository only documents a vendor-managed TYPO3 service and cannot
  change dependencies or permissions.
- Safe verification would require exploit payloads or production-only database
  access.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled dependency resolves typo3/cms-core or typo3/cms-form below 14.3.3.
  • Owned code no longer writes directly to form_definition outside the validated framework path.
  • Backend roles are reviewed and narrowed where needed.
  • Tests and scans prove the upgrade and persistence-path cleanup landed together.

Output contract

  • Reviewer-ready PR upgrading TYPO3 Form Framework dependencies to 14.3.3+ and refreshing locks, images, SBOMs, and reports.
  • Evidence that owned extensions and tooling no longer write directly to form_definition outside the validated framework path.
  • Operator notes for backend roles, historical mitigations, logs/admin actions, and database-history review.
  • TRIAGE.md when the affected TYPO3 backend, extension, deployment, or mitigation path is not controlled by this repository.

Watch for

  • Upgrading Composer packages while custom extensions keep the vulnerable persistence bypass behavior.
  • Treating admin-only local tools as harmless if they bypass validation in production deployments too.
  • Narrowing one backend role but leaving equivalent write capability elsewhere.
  • Forgetting to review historical mitigations related to TYPO3-CORE-SA-2018-003.

References