Home

Description

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-19 | Updated 2026-05-19 | Assigner TYPO3




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-915

CWE-639

Product status

Default status
unaffected

14.0.0 (semver) before 14.0.2
affected

Any version before 13.2.4
affected

Credits

Seungbin Yang reporter

Sebastian Fischer remediation developer

References

typo3.org/security/advisory/typo3-ext-sa-2026-009 vendor-advisory

cve.org (CVE-2026-46721)

nvd.nist.gov (CVE-2026-46721)

Download JSON