CVE-2026-46721

Vulnerability

The extension "Frontend User Registration" (sf_register) for TYPO3, versions 14.0.0 to 14.0.1 and 13.2.3 and below, does not restrict which user properties may be submitted during the create and edit flows. It also fails to enforce access control on the frontend user group assignment. This allows an attacker to manipulate the group assignment for a newly registered or edited account. [1]

Exploitation

An attacker with no prior authentication (AV:N/PR:N) can submit crafted HTTP requests during the registration or profile editing process, specifying an arbitrary frontend user group ID. No special network position or user interaction is required beyond the attacker performing the registration or edit action themselves. The server accepts the submission without validating whether the attacker is authorized to assign that group. [1]

Impact

A successful attack results in the attacker's account being assigned to a privileged frontend user group, granting unauthorized access to content, functionality, or data that should be restricted to members of that group. This violates confidentiality and integrity (VC:L/VI:L in the CVSS vector). The attacker does not gain administrative backend access but can read and perhaps interact with resources protected by the privileged group. [1]

Mitigation

Fixed versions 14.0.2 and 13.2.4 are available from the TYPO3 extension manager, Packagist, and direct download. Users should update the extension as soon as possible. There is no known workaround for unpatched versions. [1]