TYPO3 Security Releases: Four security vulnerabilities in 14.0.2, 13.4.23 and 12.4.41 closed
Have the article read aloud.
TYPO3 14.0.2, 13.4.23 and 12.4.41 have been released and close several security vulnerabilities. Here you can find out what is affected and how urgent the update is.
On January 13, 2026, the TYPO3 team published new security releases. All currently supported versions are affected: TYPO3 14.0.2, 13.4.23 LTS, 12.4.41 LTS and the ELTS versions 11.5.49 and 10.4.55.
Four security vulnerabilities have been closed. Three of them concern faulty access controls in the backend, a fourth a deserialization problem in the mail spool.
The four security advisories at a glance
TYPO3-CORE-SA-2026-001: Broken Access Control in the Edit Document Controller
Backend users were able to bypass access controls via the defVals parameter and insert data into protected fields for which they were not actually authorized. All versions from 10.0.0 to 14.0.1 were affected. The severity is classified as medium.
TYPO3-CORE-SA-2026-002: Broken Access Control in the Redirects module
Backend users with access to the redirects module could read and modify all redirect entries, regardless of their file mounts or web mounts. This made it possible to create redirects to any URL and thus potential phishing attacks. Also here: medium severity.
TYPO3-CORE-SA-2026-003: Broken access control in the recycler module
This is the most critical of the four vulnerabilities. Backend users with access to the recycler module could delete arbitrary data from any TCA table without having the appropriate permissions. In the worst case, attackers could destroy entire website content and render the site unusable. Severity: high.
TYPO3-CORE-SA-2026-004: Insecure deserialization in the mailer file spool
Local users with write access to the mail spool directory could inject manipulated files that lead to remote code execution when executing the mailer:spool:send command. The problem only affects installations with activated file spool transport. Severity: medium.
What to do now
The updates can be installed as usual. No additional database updates are required for these maintenance releases.
How urgent the update is depends on your installation. If you have several backend users with different authorization levels, you should update as soon as possible. The recycler vulnerability (SA-2026-003) in particular should be taken seriously.
If you are still working with TYPO3 11 or 10 and have ELTS support, patched versions are also available.
Further information
All details about the security advisories can be found on typo3.org:
The official release notes can be found here:
BackComments under articles are disabled. If you have a question or addition, please send me an e-mail.
![[Translate to English:] Wolfgang Wagner, TYPO3 Experte und Trainer](/fileadmin/_processed_/3/3/csm_DSCF2343_1600x900_9655ab17bc.jpg)
![[Translate to English:] TYPO3 Certified Integrator](/fileadmin/_processed_/4/e/csm_TCCI_orange_h150_a05881febc.png)
Who writes here?
Hi, I'm Wolfgang.
Since 2006, I've been diving deep into the fascinating world of TYPO3 - it's not only my profession, but also my passion. My path has taken me through countless projects, and I have created hundreds of professional video tutorials focusing on TYPO3 and its extensions. I love unraveling complex topics and turning them into easy-to-understand concepts, which is also reflected in my trainings and seminars.
As an active member of the TYPO3 Education Committee, I am committed to keeping the TYPO3 CMS Certified Integrator exam questions up to date and challenging.
But my passion doesn't end at the screen. When I'm not diving into the depths of TYPO3, you'll often find me on my bike, exploring the scenic trails around Lake Constance. These outdoor excursions are my perfect balance - they keep my mind fresh and always provide me with new ideas.