CVE-2026-46721
Frontend User Group Privilege Escalation in User Management System
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: TYPO3
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typo3 | frontend_user_registration | From 13.2.3 (inc) to 14.0.2 (exc) |
| typo3 | frontend_user_registration | 14.0.0 |
| typo3 | frontend_user_registration | 14.0.1 |
| typo3 | frontend_user_registration | 14.0.2 |
| typo3 | frontend_user_registration | 13.2.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the TYPO3 extension "Frontend User Registration" (sf_register). It is a Broken Access Control flaw where the create and edit flows do not properly restrict which user properties can be submitted. Specifically, the frontend user group assignment is not enforced with access control, allowing an attacker to assign arbitrary frontend user groups to newly registered or edited accounts.
As a result, an attacker can gain unauthorized access to content and functionality that is normally restricted to privileged frontend user groups.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to escalate their privileges by assigning themselves or other accounts to privileged frontend user groups without authorization.
This unauthorized access can lead to exposure of restricted content and functionality, potentially compromising the security and integrity of the affected TYPO3 website.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the TYPO3 Frontend User Registration extension (sf_register), you should immediately update the extension to a fixed version.
- Update to version 14.0.2 or 13.2.4 or later, which contain the fixes for this issue.
- Use the TYPO3 extension manager, Packagist, or the official extension download page to perform the update.
- Follow the TYPO3 Security Guide recommendations.
- Subscribe to the typo3-announce mailing list to stay informed about security updates.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to assign arbitrary frontend user groups to newly registered or edited accounts, granting unauthorized access to privileged content and functionality. This unauthorized access could lead to exposure or misuse of sensitive user data.
Such unauthorized access and potential data exposure may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to failure in enforcing proper access controls.