CVE-2026-4208

Summary

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.

Affected Software

VendorProductVersion RangeStatus
TYPO3Extension “E-Mail MFA Provider”0 <= 1.0.5affected
TYPO3Extension “E-Mail MFA Provider”2.0.0affected

Weaknesses

  • CWE-639: CWE-639

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References