Description
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
Published: 2026-03-17
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass via MFA
Action: Immediate Patch
AI Analysis

Impact

The E‑Mail MFA Provider extension does not reset the generated MFA code after a successful authentication, allowing the same code to be reused on subsequent login attempts. An attacker can supply an empty string as the MFA code, effectively bypassing the MFA check without needing the actual code. This flaw is a classic authorization bypass (CWE‑639) that can allow an attacker to obtain privileged access to user accounts and associated data.

Affected Systems

The affected product is the TYPO3 E‑Mail MFA Provider extension. No specific affected versions are listed by the CNA, so all publicly available releases of the extension could potentially be compromised until an official fix is released.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker who has already authenticated or has legitimate credentials for an account; after a successful login the attacker can reuse the empty code on subsequent attempts. Once the MFA check is bypassed, the attacker gains complete access to the compromised account and any resources reachable through that account. The overall risk is significant for sites that rely solely on this extension for MFA protection.

Generated by OpenCVE AI on March 17, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for the TYPO3 E‑Mail MFA Provider extension as soon as a patch is released.
  • If no patch is currently available, disable or remove the MFA extension to prevent unauthorized logins until a fix is released.
  • Configure the system to reject empty or missing MFA codes by default, ensuring that all authentication attempts require a valid code.
  • Monitor authentication logs for repeated empty code submissions and investigate any suspicious activity.

Generated by OpenCVE AI on March 17, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-29r8-gvx4-r9w3 Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)
History

Sat, 25 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mrsilaz
Mrsilaz mfa Mail
CPEs cpe:2.3:a:mrsilaz:mfa_mail:*:*:*:*:*:typo3:*:*
cpe:2.3:a:mrsilaz:mfa_mail:2.0.0:*:*:*:*:typo3:*:*
Vendors & Products Mrsilaz
Mrsilaz mfa Mail
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "e-mail Mfa Provider"
Vendors & Products Typo3
Typo3 extension "e-mail Mfa Provider"

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
Title Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mrsilaz Mfa Mail
Typo3 Extension "e-mail Mfa Provider"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-03-24T17:20:39.697Z

Reserved: 2026-03-15T11:55:45.299Z

Link: CVE-2026-4208

cve-icon Vulnrichment

Updated: 2026-03-17T13:17:01.174Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T09:16:14.810

Modified: 2026-04-25T18:43:03.957

Link: CVE-2026-4208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:28Z

Weaknesses