CVE-2025-57758 – This vulnerability allows authenticated back-en... (How to Fix)

Q: What is the severity of CVE-2025-57758?

CVE-2025-57758 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated back-end users in Contao CMS to access modules they shouldn't have permission to view. It affects Contao installations from version 5.0.0 up to (but not including) 5.3.38 and 5.6.1. The issue stems from improper access control in the table access voter component.

📋 TL;DR

This vulnerability allows authenticated back-end users in Contao CMS to access modules they shouldn't have permission to view. It affects Contao installations from version 5.0.0 up to (but not including) 5.3.38 and 5.6.1. The issue stems from improper access control in the table access voter component.

💻 Affected Systems

Products:

Contao CMS

Versions: 5.0.0 to 5.3.37, and 5.4.0 to 5.6.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Contao installations with back-end user accounts. Front-end users are not affected.

📦 What is this software?

Contao by Contao

View all CVEs affecting Contao →

Contao by Contao

View all CVEs affecting Contao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation where authenticated users gain unauthorized access to administrative modules, potentially leading to data exposure or unauthorized content modifications.

🟠

Likely Case

Users with limited back-end access can view or interact with modules beyond their assigned permissions, violating the principle of least privilege.

🟢

If Mitigated

With proper module-level access controls and the workaround implemented, users are restricted to their assigned modules only.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, internet-facing Contao back-ends could be targeted by attackers who obtain valid credentials.

🏢 Internal Only: MEDIUM - Internal users with back-end access could exploit this to exceed their authorized permissions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires authenticated back-end access but minimal technical skill to attempt unauthorized module access.

Exploitation requires valid back-end user credentials. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.38 or 5.6.1

Vendor Advisory: https://contao.org/en/security-advisories/improper-access-control-in-the-back-end-voters

Restart Required: No

Instructions:

1. Backup your Contao installation and database. 2. Update Contao to version 5.3.38 (if on 5.3.x branch) or 5.6.1 (if on 5.4.x-5.6.x branch). 3. Clear the cache via Contao back-end or command line. 4. Verify the update was successful.

🔧 Temporary Workarounds

Implement USER_CAN_ACCESS_MODULE checks

all

Add additional access control checks in custom modules to verify users have proper module permissions.

Implement custom access control logic in affected modules using USER_CAN_ACCESS_MODULE checks as described in the advisory

🧯 If You Can't Patch

Implement the workaround of adding USER_CAN_ACCESS_MODULE checks to all custom modules
Restrict back-end user permissions to minimum required and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check Contao version via back-end System → Settings or via command line: php vendor/bin/contao-console contao:version

Check Version:

php vendor/bin/contao-console contao:version

Verify Fix Applied:

Verify version is 5.3.38 or higher (for 5.3.x branch) or 5.6.1 or higher (for 5.4.x-5.6.x branch). Test that users cannot access unauthorized modules.

📡 Detection & Monitoring

Log Indicators:

Unusual back-end module access patterns
Users accessing modules outside their typical scope
Access denied errors for modules users shouldn't be trying to access

Network Indicators:

Increased back-end authentication attempts
Unusual API calls to back-end modules

SIEM Query:

source="contao_logs" AND (event="module_access" OR event="access_denied") | stats count by user, module

📊 Metadata

CVE ID: CVE-2025-57758

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-284

EPSS Score: 0.04% exploit probability (12.1th percentile)

Published: August 28, 2025

Last Updated: September 2, 2025

🔗 References

https://contao.org/en/security-advisories/improper-access-control-in-the-back-end-voters Vendor Advisory
https://github.com/contao/contao/commit/3f05c603e1c94d34819f837f060df5d66447d0d7 Patch
https://github.com/contao/contao/security/advisories/GHSA-7m47-r75r-cx8v Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57758, you might also want to check these: