See Registration role - Critical - Access bypass - SA-CONTRIB-2024-015.
This release ensures that, even if configuration does not ever get updated to the new schema as expected, only the expected roles are granted to new registrants.
If you cannot update right away, simply re-save the configuration form at /admin/people/registration-role and your configuration will be fixed, even without this release.
Review user accounts registered between 2023 July 11 and now for having additional roles you did not intend for them to have. If your site missed or reverted an update to configuration in the version 2.0.0 release of Registration Role (or development branch from 2020 August 17 on), non-selected roles were not removed from configuration. Without this update, up until you re-saved the settings form or until you install the new release, whichever came first, users who registered receive all roles, including the Administrator role.
When you run update hooks after this release, it will warn you if the site was affected directly before running update hooks but cannot guarantee that the site was never affected. (If following standard update procedures of running update hooks with the code update and then committing the configuration, then your site was never affected.) Users with all roles should stand out notably in the /admin/people listing— or filter by Administrator role and ensure everyone who has that, should have it.