{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4208", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "state": "PUBLISHED", "assignerShortName": "TYPO3", "dateReserved": "2026-03-15T11:55:45.299Z", "datePublished": "2026-03-17T08:34:52.141Z", "dateUpdated": "2026-03-24T17:20:39.697Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2026-03-24T17:20:39.697Z"}, "title": "Authentication Bypass in extension \"E-Mail MFA Provider\" (mfa_email)", "datePublic": "2026-03-17T09:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-639", "description": "CWE-639", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "affected": [{"vendor": "TYPO3", "product": "Extension \"E-Mail MFA Provider\"", "collectionURL": "https://packagist.org", "packageName": "ralffreit/mfa-email", "repo": "https://github.com/MrSilaz/mfa_email", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.0.5", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.</span>"}]}], "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-007"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Jan Holtk\u00f6tter", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:16:53.008295Z", "id": "CVE-2026-4208", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:17:07.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4208", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T13:16:53.008295Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:17:01.174Z"}}], "cna": {"title": "Authentication Bypass in extension \"E-Mail MFA Provider\" (mfa_email)", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Jan Holtk\u00f6tter"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/MrSilaz/mfa_email", "vendor": "TYPO3", "product": "Extension \"E-Mail MFA Provider\"", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.5"}, {"status": "affected", "version": "2.0.0", "versionType": "semver"}], "packageName": "ralffreit/mfa-email", "collectionURL": "https://packagist.org", "defaultStatus": "unaffected"}], "datePublic": "2026-03-17T09:00:00.000Z", "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-007"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.", "supportingMedia": [{"type": "text/html", "value": "<span>The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639"}]}], "providerMetadata": {"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "shortName": "TYPO3", "dateUpdated": "2026-03-24T17:20:39.697Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4208", "state": "PUBLISHED", "dateUpdated": "2026-03-24T17:20:39.697Z", "dateReserved": "2026-03-15T11:55:45.299Z", "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "datePublished": "2026-03-17T08:34:52.141Z", "assignerShortName": "TYPO3"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mrsilaz:mfa_mail:*:*:*:*:*:typo3:*:*", "matchCriteriaId": "2BF56C4D-1D5F-400F-B424-6F7C08532D02", "versionEndExcluding": "1.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:mrsilaz:mfa_mail:2.0.0:*:*:*:*:typo3:*:*", "matchCriteriaId": "5375BB80-5A35-40F2-9102-511ACE54ACA0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider."}, {"lang": "es", "value": "La extensi\u00f3n no restablece correctamente el c\u00f3digo MFA generado despu\u00e9s de una autenticaci\u00f3n exitosa. Esto conduce a una posible omisi\u00f3n de MFA para futuros intentos de inicio de sesi\u00f3n al proporcionar una cadena vac\u00eda como c\u00f3digo MFA al proveedor de MFA de la extensi\u00f3n."}], "id": "CVE-2026-4208", "lastModified": "2026-04-25T18:43:03.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}, "published": "2026-03-17T09:16:14.810", "references": [{"source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "tags": ["Vendor Advisory"], "url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-007"}], "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Extension \"E-Mail MFA Provider\"", "source": "cna", "vendor": "TYPO3"}, "product": "extension_\"e-mail_mfa_provider\"", "vendor": "typo3"}], "analysis": {"en": {"generated_at": "2026-03-17T10:51:16.290966+00:00", "value": {"mitigation_remediation": ["Apply the latest security update for the TYPO3 E\u2011Mail MFA Provider extension as soon as a patch is released.", "If no patch is currently available, disable or remove the MFA extension to prevent unauthorized logins until a fix is released.", "Configure the system to reject empty or missing MFA codes by default, ensuring that all authentication attempts require a valid code.", "Monitor authentication logs for repeated empty code submissions and investigate any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Authentication bypass via MFA"}, "threat_synthesis": {"affected_systems": "The affected product is the TYPO3 E\u2011Mail MFA Provider extension. No specific affected versions are listed by the CNA, so all publicly available releases of the extension could potentially be compromised until an official fix is released.", "description_and_impact": "The E\u2011Mail MFA Provider extension does not reset the generated MFA code after a successful authentication, allowing the same code to be reused on subsequent login attempts. An attacker can supply an empty string as the MFA code, effectively bypassing the MFA check without needing the actual code. This flaw is a classic authorization bypass (CWE\u2011639) that can allow an attacker to obtain privileged access to user accounts and associated data.", "risk_and_exploitability": "The CVSS score of 7.7 indicates high severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker who has already authenticated or has legitimate credentials for an account; after a successful login the attacker can reuse the empty code on subsequent attempts. Once the MFA check is bypassed, the attacker gains complete access to the compromised account and any resources reachable through that account. The overall risk is significant for sites that rely solely on this extension for MFA protection."}}}}, "created": "2026-03-18T12:13:32.692963+00:00", "updated": "2026-03-24T10:49:28.249456+00:00", "vendors": ["typo3", "typo3$PRODUCT$extension_\"e-mail_mfa_provider\""]}