Description
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.
Published: 2026-05-28
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can reset any user account password without requiring a verification token or email confirmation, an issue classified as CWE-307. This enables full account takeover, including administrative control, representing a critical loss of confidentiality, integrity, and availability for affected systems.

Affected Systems

The vulnerability affects phpMyFAQ installations running versions prior to 4.1.3, fulfilling the conditions described in the advisory and reachable through the /api/user/password/update endpoint.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score is unavailable, suggesting that publicly known exploitation data is limited. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the web API; an attacker may enumerate valid usernames, trigger password resets, capture the new plaintext passwords via email, and then assume full control.

Generated by OpenCVE AI on May 28, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply phpMyFAQ 4.1.3 or later to eliminate the unauthenticated reset capability
  • Disable the /api/user/password/update endpoint temporarily until the update is applied
  • Configure monitoring of password reset activity and implement account lockout thresholds for repeated reset attempts

Generated by OpenCVE AI on May 28, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w9xh-5f39-vq89 phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration
History

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.
Title phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
Weaknesses CWE-307
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T14:15:19.113Z

Reserved: 2026-04-04T12:32:50.477Z

Link: CVE-2026-35675

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:21.800

Modified: 2026-05-28T16:16:21.800

Link: CVE-2026-35675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:00:13Z

Weaknesses