CVE-2026-46721
Deferred Deferred - Pending Action
Frontend User Group Privilege Escalation in User Management System

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: TYPO3

Description
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-46721
EUVD
EUVD-2026-30857
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
typo3 frontend_user_registration From 13.2.3 (inc) to 14.0.2 (exc)
typo3 frontend_user_registration 14.0.0
typo3 frontend_user_registration 14.0.1
typo3 frontend_user_registration 14.0.2
typo3 frontend_user_registration 13.2.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the TYPO3 extension "Frontend User Registration" (sf_register). It is a Broken Access Control flaw where the create and edit flows do not properly restrict which user properties can be submitted. Specifically, the frontend user group assignment is not enforced with access control, allowing an attacker to assign arbitrary frontend user groups to newly registered or edited accounts.

As a result, an attacker can gain unauthorized access to content and functionality that is normally restricted to privileged frontend user groups.

Impact Analysis

This vulnerability can allow an attacker to escalate their privileges by assigning themselves or other accounts to privileged frontend user groups without authorization.

This unauthorized access can lead to exposure of restricted content and functionality, potentially compromising the security and integrity of the affected TYPO3 website.

Mitigation Strategies

To mitigate the vulnerability in the TYPO3 Frontend User Registration extension (sf_register), you should immediately update the extension to a fixed version.

  • Update to version 14.0.2 or 13.2.4 or later, which contain the fixes for this issue.
  • Use the TYPO3 extension manager, Packagist, or the official extension download page to perform the update.
  • Follow the TYPO3 Security Guide recommendations.
  • Subscribe to the typo3-announce mailing list to stay informed about security updates.
Compliance Impact

The vulnerability allows attackers to assign arbitrary frontend user groups to newly registered or edited accounts, granting unauthorized access to privileged content and functionality. This unauthorized access could lead to exposure or misuse of sensitive user data.

Such unauthorized access and potential data exposure may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to failure in enforcing proper access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart