phpMyFAQ is an open‑source FAQ web application. In versions 4.0.16 and earlier, the code that serves attachment downloads performs a permission check that merely verifies the existence of a rights key rather than confirming that the user possesses the dlattachment privilege. Additionally, the logic that evaluates group and user permissions contains a flawed conditional expression. These issues allow an authenticated user who does not have the required dlattachment right to download any FAQ attachment files, exposing potentially confidential information to insiders or malicious insiders. The vulnerability is a classic example of broken access control (CWE‑284).

The affected product is phpMyFAQ, developed by thorsten. The critical versions are 4.0.16 and below; newer releases contain a fix that has been applied. The fix is not yet listed with a specific version in the advisory, so administrators should consult the latest releases on the project’s GitHub page for the corrected code.

The CVSS v3.1 score is 6.5, indicating moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation in the short term, and the vulnerability is not listed in CISA’s KEV catalog. However, because the flaw only requires the attacker to be authenticated, an internal user or an attacker who has compromised credentials could immediately download documents. The vulnerability does not grant arbitrary code execution or elevate privileges beyond the authenticated session; it simply bypasses a file‑download permission check.