by Leo Feyer

Improper access control in the back end voters

Date: 2025-08-28
CVE ID: CVE-2025-57758

The table access voter in the back end doesn't check if a user is allowed to access the corresponding module.

Affected versions

Contao 5.3 up to 5.3.37
Contao 5.4
Contao 5.5
Contao 5.6 up to 5.6.0

Suggested solution

Upgrade to Contao 5.3.38 or 5.6.1.

Workaround

Do not rely solely on the voter and additionally check USER_CAN_ACCESS_MODULE.

More information

https://github.com/contao/contao/security/advisories/GHSA-7m47-r75r-cx8v

Show all security advisories