Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
AnalysisAI
Mass assignment in the TYPO3 'Frontend User Registration' extension allows unauthenticated remote attackers to assign arbitrary frontend user groups to accounts created or modified via the public registration and profile-edit flows. Because the extension neither restricts which user properties may be submitted nor enforces server-side access control on the group assignment field, an attacker registers or edits an account while injecting a privileged frontend user group identifier, immediately gaining access to content and functionality that would otherwise require elevated membership. No public exploit is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
CWE-915 ('Improperly Controlled Modification of Dynamically-Determined Object Attributes') describes mass assignment - a class of vulnerability where a framework or ORM blindly binds user-supplied HTTP parameters to model properties without a strict allowlist. In this case, TYPO3's Frontend User Registration extension (CPE: cpe:2.3:a:typo3:extension_"frontend_user_registration":*:*:*:*:*:*:*:*) exposes create and edit flows that map form-submitted properties directly onto the frontend user record. TYPO3's frontend user model includes group membership fields (fe_groups) that govern access to content protected by frontend login and group-restricted pages. Without server-side filtering of which properties are writable through the public form, the group assignment field is as accessible as the username or email field. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack surface is network-reachable with no prerequisites, consistent with a public self-registration endpoint.
RemediationAI
Apply the patched version of the TYPO3 Frontend User Registration extension as directed by the TYPO3 security advisory TYPO3-EXT-SA-2026-009, available at https://typo3.org/security/advisory/typo3-ext-sa-2026-009. A specific fixed version number is not independently confirmed from the available data - consult the advisory directly for the exact target version before upgrading. If immediate patching is not feasible, a compensating control is to disable the public-facing registration and profile-edit flows entirely (e.g., unpublish or restrict access to the pages hosting these forms) until the patch is applied; this eliminates the attack surface at the cost of blocking legitimate self-registration. Alternatively, site administrators can restrict those pages to a trusted IP range via TYPO3's page access restrictions or a web server-level ACL, reducing exposure to known user populations while preserving functionality for internal users.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30857
GHSA-v348-vr4q-fv9p