PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46721 TYPO3 CVE debrief

## Summary CVE-2026-46721 is a medium-severity authorization bypass vulnerability affecting TYPO3 CMS frontend user management. The create and edit flows fail to restrict which user properties may be submitted and do not enforce access control on frontend user group assignment. An attacker can exploit this by assigning arbitrary frontend user groups during account registration or modification, thereby gaining unauthorized access to content and functionality restricted to privileged groups. ## Technical Details The vulnerability stems from two weaknesses in the TYPO3 frontend user management implementation: 1. **Missing Property Restriction (CWE-915)**: The create and edit flows accept user-submitted properties without validating which fields are permissible for modification. 2. **Missing Access Control on Group Assignment (CWE-639)**: No authorization checks prevent users from assigning themselves to arbitrary frontend user groups during account creation or editing. The CVSS 4.0 vector (`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N`) indicates network attack vector, low attack complexity, no required privileges or user interaction, with low impacts to confidentiality and integrity but no availability impact. ## Affected Products Based on source evidence, this vulnerability affects TYPO3. The specific advisory reference suggests this is an extension security advisory (`typo3-ext-sa-2026-009`), indicating the issue may reside in a TYPO3 extension rather than core CMS functionality. ## Exploitation An attacker can exploit this by: - Submitting crafted requests during account registration that include unauthorized `usergroup` property assignments - Modifying existing accounts to add privileged frontend user group memberships - Gaining access to restricted content, administrative functions, or other resources protected by frontend user group-based access controls No authentication is required for the registration flow exploitation path. ## Detection Organizations should monitor for: - Unusual frontend user group assignments in account creation logs - Accounts with group memberships inconsistent with registration workflows - Access to

Vendor
TYPO3
Product
Extension "Frontend User Registration"
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

TYPO3 CMS administrators, security teams managing content management systems, developers implementing user management workflows

Technical summary

Missing authorization controls in TYPO3 frontend user create/edit flows allow attackers to assign arbitrary user groups, bypassing access restrictions. Network-exploitable without authentication. Medium severity (CVSS 6.9).

Defensive priority

high

Recommended defensive actions

  • Review and apply TYPO3 security advisory typo3-ext-sa-2026-009 when available
  • Audit existing frontend user accounts for anomalous group assignments
  • Implement server-side validation to restrict modifiable user properties in create/edit flows
  • Enforce authorization checks on all user group assignment operations
  • Monitor access logs for unauthorized access to group-restricted content
  • Consider web application firewall rules to detect and block suspicious user property submissions

Evidence notes

CVE published 2026-05-19T10:16:24.853Z; modified 2026-05-19T14:47:13.200Z. Source references TYPO3 security advisory typo3-ext-sa-2026-009. CVSS 4.0 vector provided. Weaknesses: CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).

Official resources

2026-05-19