Description
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.
Published: 2026-05-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

phpMyFAQ versions prior to 4.1.2 contain a flaw in the AbstractAdministrationController::userHasPermission() method that sends a forbidden response but does not terminate execution. Because the function continues to run, authenticated users who target admin URLs can reach the underlying page logic and retrieve administrative resources. The compromised pages expose application logs, user information, system details, and configuration data, potentially enabling further compromise of the application or host.

Affected Systems

The vulnerability affects the phpMyFAQ project from Thorsten, impacting all releases before 4.1.2. Users running these older versions should identify the exact build and verify that it is susceptible to the bypass.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk. The EPSS score is < 1%, reflecting a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA KEV. Attack execution requires a valid authenticated session; once logged in, an attacker can simply request any protected admin URL to obtain privileged data. The absence of a termination path makes the flaw easier to surmount, but no publicly available exploit code is noted in the advisory.

Generated by OpenCVE AI on May 28, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpMyFAQ to version 4.1.2 or later where the permission check has been corrected
  • Restrict direct access to the admin directory by configuring the web server (e.g., .htaccess or firewall rules) to allow only recognized administrative IP ranges and block other traffic
  • Implement an additional verification layer or application redirect on the server side that checks user roles before rendering admin content to guard against future permission bypasses

Generated by OpenCVE AI on May 28, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Phpmyfaq
Phpmyfaq phpmyfaq
CPEs cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Vendors & Products Phpmyfaq
Phpmyfaq phpmyfaq
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Mon, 18 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Thorsten
Thorsten phpmyfaq
Vendors & Products Thorsten
Thorsten phpmyfaq

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.
Title phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Phpmyfaq Phpmyfaq
Thorsten Phpmyfaq
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T14:15:25.522Z

Reserved: 2026-05-13T19:40:27.809Z

Link: CVE-2026-46362

cve-icon Vulnrichment

Updated: 2026-05-18T16:06:37.066Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T19:17:03.520

Modified: 2026-05-28T16:16:26.860

Link: CVE-2026-46362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:00:13Z

Weaknesses