A request to the WebAuthn prepare endpoint creates new, active user accounts without requiring any form of authentication, CSRF protection, captcha, or configuration checks. The flaw allows an attacker to create an unlimited number of accounts even when the application’s registration feature is disabled. This could enable malicious users to gain access to internal resources, perform spam or phishing campaigns, or evade rate‑limiting controls. The weakness is a classic "Missing Authorization" error (CWE‑862).

The vulnerability affects phpMyFAQ installations from thorsten running any version prior to 4.0.18; no additional sub-components are listed.

The CVSS score of 7.5 indicates a high severity: the vulnerability can be exploited remotely with no authentication and would lead to a significant increase in the attack surface. The EPSS score of less than 1% suggests that, while exploitability exists, the probability of exploitation in the near term is small. The vulnerability is not included in the CISA KEV catalog, pointing to an absence of known large‑scale exploitation. Because the endpoint is reachable over HTTP/HTTPS and requires no credentials, the attack vector is straightforward – simply sending a crafted request to /api/webauthn/prepare. With no CSRF or other mitigations in place, a single web request suffices to create an account, enabling further attack activities.