TYPO3 CMS MFA Code Reset Bypass via Empty String
CVE-2026-4208 Published on March 17, 2026

Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.

NVD

Weakness Type

What is an Insecure Direct Object Reference / IDOR Vulnerability?

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2026-4208 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.

Affected Versions

TYPO3 Extension "E-Mail MFA Provider":

Before and including 1.0.5 is affected.
Version 2.0.0 is affected.

Exploit Probability

EPSS

0.06%

Percentile

17.16%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

TYPO3 CMS MFA Code Reset Bypass via Empty StringCVE-2026-4208 Published on March 17, 2026

Weakness Type

What is an Insecure Direct Object Reference / IDOR Vulnerability?

Affected Versions

Exploit Probability

TYPO3 CMS MFA Code Reset Bypass via Empty String
CVE-2026-4208 Published on March 17, 2026