CVE-2026-6553
TYPO3 CMS Stores Cleartext Password in User Settings Module
Description
### Problem The backend user settings module (`SetupModuleController`) incorrectly conflates entity data (like passwords or email address) with user-interface settings (like theme, display options) when persisting changes. As a result, passwords were stored in cleartext in the `uc` and `user_settings` fields of the `be_users` database table. The cleartext data was only persisted if users changed their credentials in the backend user settings module when the TYPO3 14.2.0 release was used (not in any other version). ### Solution Update to TYPO3 version 14.3.0 LTS which fixes the problem described. > [!IMPORTANT] > **Manual actions required** > > Updating to the patched release does not retroactively clean existing data. It is recommended to execute all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, which sanitizes the incorrectly persisted cleartext values from the `uc` and `user_settings` fields of the `be_users` table. **Additionally, affected backend user accounts should be assigned new passwords.** > > _Admin Tools → Upgrade → Upgrade Wizard → User Settings Scrubbing_ ### Credits TYPO3 thanks Martin Clewing for reporting this issue, and TYPO3 core team members Oliver Hader, Stefan Bürk and Garvin Hicking for fixing it.
How to fix CVE-2026-6553
To remediate CVE-2026-6553, upgrade the affected package to a fixed version below.
- —upgrade to 14.3.0 or later
Is CVE-2026-6553 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 14.2.0, < 14.3.0