Primary

Context

TYPO3 E-Mail MFA Provider Extension Authentication Bypass Vulnerability

Vulnerability

An authentication bypass vulnerability has been identified in the TYPO3 extension 'E-Mail MFA Provider' (mfa_email) versions 2.0.0 and below. The issue arises because the extension does not properly reset the generated multi-factor authentication (MFA) code after successful authentication. This flaw allows users to bypass MFA in future login attempts by submitting an empty string as the MFA code, but only if 'E-Mail MFA Provider' is not set as the default MFA provider and at least one other MFA provider is available.

Impact

Exploitation of this vulnerability allows users to bypass multi-factor authentication, potentially leading to unauthorized access.

Remediation

Users are advised to uninstall the 'E-Mail MFA Provider' extension and delete its folder from their TYPO3 installation. Alternative extensions can be searched for in the TYPO3 Extension Repository.

Added: Mar 17, 2026, 9:23 AM

Updated: Mar 17, 2026, 9:23 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.3

exploitability

5.0

remediation

6.0

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.3

exploitability

5.0

remediation

6.0

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TYPO3 E-Mail MFA Provider Extension Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

TYPO3 E-Mail MFA Provider

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating