TYPO3-EXT-SA-2026-009: Broken Access Control in extension "Frontend User Registration" (sf_register)
It has been discovered that the extension "Frontend User Registration" (sf_register) is vulnerable to Broken Access Control.
- Release Date: May 19, 2026
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "Frontend User Registration" (sf_register)
- Composer Package Name: evoweb/sf-register
- Vulnerability Type: Broken Access Control
- Affected Versions: 14.0.0 - 14.0.1, 13.2.3 and below
- Severity: Medium
- Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- References: CVE-2026-46721, CWE-915, CWE-639
Problem Description
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
Solution
Updated versions 14.0.2 and 13.2.4 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/sf_register/14.0.2/zip
https://extensions.typo3.org/extension/download/sf_register/13.2.4/zip
Users of the extension are advised to update the extension as soon as possible.
Credits
Thanks to Seungbin Yang for reporting the vulnerability and to Sebastian Fischer for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.