MEDIUM

GHSA-v348-vr4q-fv9p

TYPO3 sf_register extension allows unauthorized assignment of frontend user groups

Details

The `create` and `edit` flows in the TYPO3 extension sf_register do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / evoweb/sf-register

Introduced in: 14.0.0 Fixed in: 14.0.2

Fix composer require evoweb/sf-register:^14.0.2

Packagist / evoweb/sf-register

Introduced in: 0 Fixed in: 13.2.4

Fix composer require evoweb/sf-register:^13.2.4

References

https://nvd.nist.gov/vuln/detail/CVE-2026-46721 [ADVISORY]
https://github.com/FriendsOfPHP/security-advisories/blob/master/evoweb/sf-register/CVE-2026-46721.yaml [WEB]
https://github.com/evoWeb/sf_register [PACKAGE]
https://typo3.org/security/advisory/typo3-ext-sa-2026-009 [WEB]