Description
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.
Published: 2026-05-28
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to reset a valid user’s password without prior authentication. By sending a PUT request to the /api/index.php/user/password/update endpoint, an adversary can change the account password without providing a reset token or having valid credentials. This flaw also enables enumeration of existing username and email pairs, which can further ease credential compromise.

Affected Systems

Thorsten’s phpMyFAQ installations running any version prior to 4.1.3 are susceptible to this issue. The flaw exists in the core API handling for user password updates and affects all deployments of phpMyFAQ that have not applied the latest patch beyond 4.1.3.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, and the lack of an EPSS score suggests no publicly reported exploitation at this time, though the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as an unauthenticated HTTP request can trigger the password change, meaning that an attacker only needs network access to the API endpoint to exploit the flaw.

Generated by OpenCVE AI on May 28, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.3 or later to eliminate the password update flaw.
  • Restrict access to the /api/index.php/user/password/update endpoint using firewall rules or server configuration, ensuring that only trusted IP addresses or authenticated users can reach the API.
  • Enable monitoring and alerting for unexpected password reset events, and review account activity logs for signs of unauthorized changes.

Generated by OpenCVE AI on May 28, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9qv9-8xv6-5p35 phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation
History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.
Title phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
Weaknesses CWE-640
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Phpmyfaq Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T15:35:36.744Z

Reserved: 2026-04-04T12:32:50.477Z

Link: CVE-2026-35676

cve-icon Vulnrichment

Updated: 2026-05-28T15:35:20.528Z

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:21.923

Modified: 2026-05-28T17:16:20.443

Link: CVE-2026-35676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:30:15Z

Weaknesses