Description
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

phpMyFAQ versions prior to 4.1.2 contain a flaw in the AbstractAdministrationController::userHasPermission() method that sends a forbidden response but does not terminate execution. Because the function continues to run, authenticated users who target admin URLs can reach the underlying page logic and retrieve administrative resources. The compromised pages expose application logs, user information, system details, and configuration data, potentially enabling further compromise of the application or host.

Affected Systems

The vulnerability affects the phpMyFAQ project from Thorsten, impacting all releases before 4.1.2. Users running these older versions should identify the exact build and verify that it is susceptible to the bypass.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high risk. The EPSS score is unknown, so the current likelihood of widespread exploitation cannot be quantified, and the vulnerability is not listed in CISA KEV. Attack execution requires a valid authenticated session; once logged in, an attacker may simply request any protected admin URL to obtain privileged data. The absence of a termination path makes the flaw easier to surmount, but no publicly available exploit code is noted in the advisory.

Generated by OpenCVE AI on May 15, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later where the permission check has been corrected
  • Restrict direct access to the admin directory by configuring the web server (e.g., .htaccess or firewall rules) to allow only recognized administrative IP ranges and block other traffic
  • Implement an additional verification layer or application redirect on the server side that checks user roles before rendering admin content to guard against future permission bypasses

Generated by OpenCVE AI on May 15, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.
Title phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T18:36:41.173Z

Reserved: 2026-05-13T19:40:27.809Z

Link: CVE-2026-46362

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:03.520

Modified: 2026-05-15T19:17:03.520

Link: CVE-2026-46362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:45:08Z

Weaknesses