Description
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.
Published: 2026-05-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insecure direct object reference in the admin API user password endpoint of phpMyFAQ, allowing an authenticated administrator to modify any user’s password without performing proper authorization checks. An attacker with low‑privilege administrator credentials can change a target user’s password by supplying a different userId in the overwrite‑password request, thereby elevating privileges to a SuperAdmin role. This flaw permits unauthorized password resets and potential full system takeover, affecting confidentiality, integrity, and availability.

Affected Systems

The issue affects the phpMyFAQ application produced by thorsten:phpMyFAQ. Versions prior to 4.1.3 are vulnerable; only the unsupported releases before the 4.1.3 release contain the flaw.

Risk and Exploitability

The CPE identifies phpMyFAQ, and the CVSS score of 8.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation yet. However, the flaw can be exploited by any user who already possesses low‑privilege administrative access, enabling them to change any user's password and potentially elevate to SuperAdmin. Successful exploitation permits unauthorized password resets and possible full administrative control.

Generated by OpenCVE AI on May 28, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to phpMyFAQ version 4.1.3 or later, which removes the insecure direct object reference in the password API.
  • Ensure that only users with verified SuperAdmin status are allowed to access password reset functionality, adding an authorization check on the userId parameter.
  • Verify that the application’s admin API endpoints require explicit privilege checks and that no other authentication bypasses exist.
  • Audit system logs for unexpected password changes and investigate any suspicious activity before and after applying the patch.

Generated by OpenCVE AI on May 28, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xvp4-phqj-cjr3 phpMyFAQ: IDOR Account Takeover
History

Sat, 30 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.
Title phpMyFAQ - Insecure Direct Object Reference in User Password API
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
Weaknesses CWE-266
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Phpmyfaq Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T01:55:57.200Z

Reserved: 2026-04-04T12:32:50.476Z

Link: CVE-2026-35671

cve-icon Vulnrichment

Updated: 2026-05-30T01:55:51.066Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T16:16:21.530

Modified: 2026-05-30T02:16:17.737

Link: CVE-2026-35671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T18:00:11Z

Weaknesses