Description
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.
Published: 2026-05-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in phpMyFAQ allows authenticated users with ordinary accounts to reach administrative API endpoints because the system only verifies that the user is logged in, not that they possess administrator privileges (CWE‑863). By requesting these endpoints, an attacker can obtain vulnerable administrative information such as dashboard versions, LDAP configuration details, Elasticsearch statistics, and health‑check data.

Affected Systems

The vulnerability affects installations of phpMyFAQ older than version 4.1.2. Users running these releases should be aware of the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate to high severity. The EPSS score is <1%, showing a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to hold a valid authenticated frontend account; after logging in, the attacker can send requests to the protected admin API endpoints and retrieve sensitive information. No remote code execution or denial‑of‑service impact is disclosed.

Generated by OpenCVE AI on May 28, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later to remove the missing authorization check.
  • Ensure that user accounts have appropriate role assignments and that administrative APIs are protected by comprehensive access controls.
  • Audit logs to detect unusual API usage patterns by ordinary users, and implement monitoring or alerting for such activity.

Generated by OpenCVE AI on May 28, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9r8r-x3vg-6xh4 phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check
History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.
Title phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T14:15:21.957Z

Reserved: 2026-05-08T16:43:53.068Z

Link: CVE-2026-45009

cve-icon Vulnrichment

Updated: 2026-05-15T20:03:49.336Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T19:17:01.327

Modified: 2026-05-28T16:16:25.650

Link: CVE-2026-45009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:45:20Z

Weaknesses