Trash Can Fire: How the TYPO3 Recycler Turned into a Data Shredder
Jan 13, 2026·7 min read·1 visit
Executive Summary (TL;DR)
The 'Recycler' (trash bin) in TYPO3 didn't check if you had permission to modify a specific table before letting you permanently delete records from it. It also got confused by records that were already 'soft-deleted,' effectively failing open on permission checks. Result: Low-privileged backend users could wipe out the entire site's database, including admin accounts and root pages.
A broken access control vulnerability in the TYPO3 CMS Recycler module allowed authenticated backend users to bypass table-level permissions and permanently delete arbitrary data. By exploiting logic flaws in how 'soft-deleted' records were handled, attackers could purge critical system tables, resulting in a catastrophic Denial of Service.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
TYPO3 CMS TYPO3 | 14.0.0 - 14.0.1 | 14.0.2 |
TYPO3 CMS TYPO3 | 13.0.0 - 13.4.22 | 13.4.23 |
TYPO3 CMS TYPO3 | 12.0.0 - 12.4.40 | 12.4.41 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-862 |
| Attack Vector | Network (Ajax) |
| CVSS v4.0 | 7.1 (High) |
| Impact | High Availability Loss (Data Destruction) |
| Privileges Required | Low (Authenticated Backend User) |
| Exploit Status | Logic Flaw (Trivial to Script) |
| Vendor | TYPO3 |
MITRE ATT&CK Mapping
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.