Description
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.
Published: 2026-05-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

phpMyFAQ before version 4.1.2 allows attackers to submit arbitrary user‑id parameters without any session binding or rate limiting to the /admin/check endpoint. This flaw permits an unauthenticated attacker to brute‑force a victim’s six‑digit TOTP code by sequentially trying all possible tokens. Successful exploitation grants full administrative control, compromising the confidentiality and integrity of the entire instance.

Affected Systems

The vulnerability affects installations of phpMyFAQ prior to the 4.1.2 release. Any server hosting a version before 4.1.2 and exposing the /admin/check endpoint is impacted.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity, and while the EPSS score is not available, the lack of rate limiting and session checks suggest a high likelihood of exploitation. The vulnerability is not on the CISA KEV list, but the straightforward attack vector—unauthenticated POST requests—reduces the required skill level for attackers.

Generated by OpenCVE AI on May 15, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or newer, which removes the unauthenticated access to the /admin/check endpoint.
  • Block or restrict POST requests to /admin/check for non‑authenticated sessions using a firewall or web‑application firewall rule, limiting the number of requests from a single IP.
  • As a temporary measure, alter the configuration to require a valid session or authenticated user ID before processing /admin/check requests, or disable the endpoint entirely until the patch is applied.

Generated by OpenCVE AI on May 15, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.
Title phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T22:22:06.593Z

Reserved: 2026-05-08T16:43:53.068Z

Link: CVE-2026-45010

cve-icon Vulnrichment

Updated: 2026-05-15T22:11:49.886Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:01.450

Modified: 2026-05-15T23:16:20.927

Link: CVE-2026-45010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:45:08Z

Weaknesses