Description
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.
Published: 2026-05-28
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in phpMyFAQ’s API v4.0 where the default empty apiClientToken allows an attacker to bypass authentication by sending an empty x‑pmf‑token header. This bypass enables the creation or modification of FAQ entries via POST requests to /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question. The vulnerability is a classic authentication bypass (CWE‑1188) that permits unauthenticated users to add or alter content, potentially injecting malicious payloads that can be displayed to site visitors. The impact threatens the integrity of the FAQ database and may lead to arbitrary code or content injection.

Affected Systems

phpMyFAQ installations using API v4.0 and running a version prior to 4.1.3 are affected. The issue was fixed in release 4.1.3; any earlier version remains vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity and the flaw can be exploited remotely over the HTTP API without credentials. The EPSS score is currently unavailable, but the lack of a KEV listing does not reduce the risk; the vulnerability remains actively exploitable. Attackers need only network access to the exposed API endpoints and can send a crafted POST request with an empty token header to create or modify FAQ entries. This straightforward attack vector makes the risk readily exploitable for malicious actors.

Generated by OpenCVE AI on May 28, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.3 or later, which disables the empty token bypass and enforces proper token validation.
  • If an immediate upgrade is not possible, reconfigure the application to require a non‑empty apiClientToken or disable the vulnerable API endpoints (e.g., remove /api/v4.0 from public access or set an enforce_token flag).
  • Ensure any automated or external clients that use the API send a valid, non‑empty x‑pmf‑token header with each request.
  • Limit exposure by restricting access to the API endpoints with firewall rules or web‑application firewall settings, allowing only trusted networks or IP addresses to reach the service.

Generated by OpenCVE AI on May 28, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gp95-j463-vv28 phpMyFAQ: Default Empty API Token Authentication Bypass
History

Thu, 28 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.
Title phpMyFAQ - Authentication Bypass via Empty API Token
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
Weaknesses CWE-1188
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Phpmyfaq Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T15:28:15.557Z

Reserved: 2026-04-04T12:32:50.476Z

Link: CVE-2026-35672

cve-icon Vulnrichment

Updated: 2026-05-28T15:27:19.398Z

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:21.667

Modified: 2026-05-28T17:16:20.297

Link: CVE-2026-35672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:45:20Z

Weaknesses