Skip to main content

TYPO3 Frontend User Registration EUVDEUVD-2026-30857

| CVE-2026-46721 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-05-19 TYPO3 GHSA-v348-vr4q-fv9p
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 19, 2026 - 11:16 EUVD
Analysis Generated
May 19, 2026 - 10:47 vuln.today
CVSS changed
May 19, 2026 - 10:22 NVD
6.9 (MEDIUM)

DescriptionCVE.org

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

AnalysisAI

Mass assignment in the TYPO3 'Frontend User Registration' extension allows unauthenticated remote attackers to assign arbitrary frontend user groups to accounts created or modified via the public registration and profile-edit flows. Because the extension neither restricts which user properties may be submitted nor enforces server-side access control on the group assignment field, an attacker registers or edits an account while injecting a privileged frontend user group identifier, immediately gaining access to content and functionality that would otherwise require elevated membership. No public exploit is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

CWE-915 ('Improperly Controlled Modification of Dynamically-Determined Object Attributes') describes mass assignment - a class of vulnerability where a framework or ORM blindly binds user-supplied HTTP parameters to model properties without a strict allowlist. In this case, TYPO3's Frontend User Registration extension (CPE: cpe:2.3:a:typo3:extension_"frontend_user_registration":*:*:*:*:*:*:*:*) exposes create and edit flows that map form-submitted properties directly onto the frontend user record. TYPO3's frontend user model includes group membership fields (fe_groups) that govern access to content protected by frontend login and group-restricted pages. Without server-side filtering of which properties are writable through the public form, the group assignment field is as accessible as the username or email field. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack surface is network-reachable with no prerequisites, consistent with a public self-registration endpoint.

RemediationAI

Apply the patched version of the TYPO3 Frontend User Registration extension as directed by the TYPO3 security advisory TYPO3-EXT-SA-2026-009, available at https://typo3.org/security/advisory/typo3-ext-sa-2026-009. A specific fixed version number is not independently confirmed from the available data - consult the advisory directly for the exact target version before upgrading. If immediate patching is not feasible, a compensating control is to disable the public-facing registration and profile-edit flows entirely (e.g., unpublish or restrict access to the pages hosting these forms) until the patch is applied; this eliminates the attack surface at the cost of blocking legitimate self-registration. Alternatively, site administrators can restrict those pages to a trusted IP range via TYPO3's page access restrictions or a web server-level ACL, reducing exposure to known user populations while preserving functionality for internal users.

Share

EUVD-2026-30857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy