Description
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
Published: 2026-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Backup
Action: Patch Immediately
AI Analysis

Impact

A flaw in the authorization logic of phpMyFAQ allows any authenticated user, regardless of their role, to invoke the /api/setup/backup endpoint. The endpoint accepts authenticated requests but does not verify that the requester has administrative or configuration management privileges. As a result, a non‑admin user can trigger a system configuration backup and obtain the path to the generated ZIP file, potentially exposing sensitive configuration data. This weakness is a classic case of missing authorization enforcement.

Affected Systems

The phpMyFAQ web application, managed by thorsten, is affected in versions 4.0.16 and earlier. The vendor has addressed the issue in version 4.0.17, which removes the unauthorized access to the backup API.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating medium severity. The EPSS score is below 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs to possess authenticated user credentials to exploit the flaw, implying that any legitimate user with a valid account can trigger the backup and potentially expose configuration data. No additional privilege escalation or remote code execution is required.

Generated by OpenCVE AI on April 18, 2026 at 02:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to phpMyFAQ 4.0.17 or later to apply the vendor fix.
  • If an immediate upgrade is not feasible, disable the /api/setup/backup endpoint by adjusting application configuration or using web‐server access controls to restrict it to administrative users only.
  • As a temporary measure, modify the SetupController.php file or add middleware to enforce an admin‑role check before allowing backup operations.

Generated by OpenCVE AI on April 18, 2026 at 02:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wm8h-26fv-mg7g phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
History

Fri, 30 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Sat, 24 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.

Sat, 24 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
Title phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:14.650Z

Reserved: 2026-01-22T18:19:49.175Z

Link: CVE-2026-24421

cve-icon Vulnrichment

Updated: 2026-01-26T16:14:23.974Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T02:15:49.507

Modified: 2026-01-30T17:29:58.223

Link: CVE-2026-24421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses