Description
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
Published: 2026-05-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is found in the TYPO3 extension "Frontend User Registration" (sf_register). In the create and edit flows, the extension does not enforce restrictions on which user properties can be set, leaving the frontend user group assignment unchecked. As a result, an attacker can submit requests that assign any arbitrary frontend user group to a newly registered or edited account, giving that account access to content and features normally limited to more privileged groups. This bypasses the intended access control and allows unauthorized access to restricted resources.

Affected Systems

Affected systems are installations of the TYPO3 "Frontend User Registration" extension, also known as sf_register. No specific version information is provided, so the risk applies to any version of the extension until a patch is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, but the vulnerability can be exploited remotely by submitting crafted HTTP requests via the public registration or edit forms. No exploit probability score is available and it is not listed in the CISA KEV catalog. The attack requires only the ability to send registration or edit requests with arbitrary group identifiers and does not need prior authentication, making exploitation feasible for anyone with internet access to the site.

Generated by OpenCVE AI on May 19, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the sf_register extension to the latest version that includes the authorization fix.
  • Configure the extension or TYPO3 backend to restrict frontend user group assignments to a predefined set of allowed groups.
  • Conduct an audit of existing user accounts to identify and correct any accounts that have been assigned to unauthorized frontend groups.

Generated by OpenCVE AI on May 19, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Typo3
Typo3 extension "frontend User Registration"
Vendors & Products Typo3
Typo3 extension "frontend User Registration"

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
Title Broken Access Control in extension "Frontend User Registration" (sf_register)
Weaknesses CWE-639
CWE-915
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typo3 Extension "frontend User Registration"
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-05-19T13:21:39.704Z

Reserved: 2026-05-16T09:55:27.478Z

Link: CVE-2026-46721

cve-icon Vulnrichment

Updated: 2026-05-19T13:21:32.290Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T10:16:24.853

Modified: 2026-05-19T14:47:13.200

Link: CVE-2026-46721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:39Z

Weaknesses