TYPO3 14.3.0: Why This Update Is More Than Just a Must-Do

If you use TYPO3, you know the drill. Install the update. Clear the cache. Check it off the list.

This time, that’s not enough.

On April 21, 2026, TYPO3 published a security advisory. It affects TYPO3 14.2.0. The severity rating is “High.” It concerns sensitive data in backend user settings.

We’ll show you what happened. And what you specifically need to do now. No need to panic, but do have a plan.

What exactly happened

TYPO3 has documented a security vulnerability for 14.2.0. The short version: certain backend user values could end up in the database as plain text. TYPO3 classifies this as “Sensitive Data Exposure.” The fix is included in TYPO3 14.3.0 LTS. This is stated in the official TYPO3 advisory.

One sentence from the advisory is important: an update alone does not clean up legacy issues. TYPO3 explicitly states that the patch does not retroactively remove existing data.

This is the point that many overlook.

Who is affected

You are affected if you are using TYPO3 14.2.0. Not if you are still running 13 LTS or 12 LTS. Not if you are already using 14.3.0.

If you’re not sure, check the backend, your Composer configuration, or your deployment log. The main thing is, don’t guess.

Why this is particularly problematic for SMEs

Many small and medium-sized businesses treat TYPO3 like a website. But it’s a system with users, roles, and access control.

If values are stored in plain text in the database, that’s a risk. Not just because someone can read the database, but also because passwords are reused in many companies. That’s just everyday life. That’s exactly why an issue like this hits so hard.

We don’t want to spin a horror story here. We’re just saying: If you clean things up properly now, you’ll save yourself stress later.

The right order: Update, Wizard, Password Reset

TYPO3 lists three specific steps. We’ve translated them into a sequence that works in real-world projects.

Step 1: Update to TYPO3 14.3.0 LTS

This is the actual fix. TYPO3 recommends updating to 14.3.0 LTS as the solution.

With Composer, this is usually a standard minor update. Nevertheless, the rule applies: staging first, then production. If you don’t have a staging environment, that’s the real problem—not the advisory.

Step 2: Run the upgrade wizards, including “User Settings Scrubbing”

TYPO3 provides very specific instructions on this. You must run all “User Settings” upgrade wizards. And explicitly the “User Settings Scrubbing” wizard.

The wizard cleans up incorrectly stored plaintext values in the uc and user_settings fields of the be_users table. The path is listed in the advisory: Admin Tools, Upgrade, Upgrade Wizard, User Settings Scrubbing.

This is the part that many people forget because it doesn’t look like a classic patch.

Step 3: Reset backend user passwords

TYPO3 also recommends assigning new passwords to affected backend user accounts.

We’ll do this pragmatically:

1. Generate a list of all backend users.
2. Admin accounts first.
3. Then all editors.
4. Do not send passwords via email.
5. Instead, use a secure channel.

Those using SSO are affected differently. In that case, it’s less about editor passwords. The wizard remains relevant nonetheless.

Common pitfalls in practice

“We’ll do the update later, when we have time”

The advisory isn’t just theoretical. It’s classified as “High.” The fix is known. This is exactly the moment when you shouldn’t wait.

“The update is installed, so that’s fine”

No. Having the patch installed doesn’t mean the data is clean. TYPO3 says so itself. Without the Wizard, old values remain.

“We have a backup, don’t we?”

A backup won’t help you if you’re carrying around incorrect data long-term. You need a cleanup, not just a restore.

Quick checklist for your team

If you want to share this internally, use this list. It’s intentionally short.

1. Check version: Is TYPO3 14.2.0 running?
2. Plan the update: staging first, then live.
3. Run the upgrade wizards.
4. Run “User Settings Scrubbing.”
5. Reset backend user passwords.
6. Then test logins.
7. File the documentation.

How we approach this at Waterproof Web Wizard

In such cases, we work according to a simple principle. First, stop the risk. Then clean up thoroughly. Then document.

Specifically, this means:

• Dennis first checks whether 14.2.0 is in use.
• Then we update to 14.3.0 LTS.
• After that, the wizards run.
• Then comes the password reset.
• Finally, there’s a brief note for IT.

This isn’t a major project. But it needs someone to handle it properly. You can find more about our TYPO3 service on the relevant page.

Conclusion

TYPO3 14.3.0 isn’t just a “nice-to-have” this time. It’s a security fix. And it’s the kind where an update alone isn’t enough.

If you’re using TYPO3 14.2.0, do it this week. With the wizard. With the password reset. Then the issue is resolved.

Frequently Asked Questions

How can we tell if we’re using TYPO3 14.2.0?

You can find the version in the TYPO3 backend under System Information or in your Composer configuration. If you’re unsure, have someone check it for you.

Is an update to TYPO3 14.3.0 sufficient?

No. TYPO3 notes that the update does not retroactively clean up existing data. You must also run the “User Settings Scrubbing” wizard.

Do we really need to reset all backend user passwords?

TYPO3 recommends this for affected accounts. To be on the safe side, reset all backend user passwords, starting with the admin accounts.

If you’d like us to handle the update for you, contact us via /contact/. Dennis will check your version, plan the update, and document the steps.

Sources

1. TYPO3 Security Advisory TYPO3-CORE-SA-2026-005 (April 21, 2026)

Sources

• TYPO3 – Security Advisories
• TYPO3 – Release Notes 14.3.0
• TYPO3 Company – Extended Support (ELTS)
• TYPO3 – Roadmap & LTS