CVE-2026-49205 - Vulnerability Details

Description

phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this->userHasPermission(PermissionType::BACKUP). The same fix was not applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, rather than the individual user's role permissions. The following APIs are affected: POST /api/v4.0/category (CategoryController::create), POST /api/v4.0/faq (FaqController::create), PUT /api/v4.0/faq (FaqController::update), and POST /api/v4.0/question (QuestionController::create). This issue has been fixed in version 4.1.4.

Published: 2026-06-18

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Because the API write endpoints in phpMyFAQ prior to version 4.1.4 use only a shared token rather than individual role checks, an attacker who obtains a valid token can create, update, or delete categories, FAQs, and questions. This flaw allows arbitrary alteration of the FAQ content, directly compromising the integrity of the data stored by the application. The weakness is a classic missing authorization issue (CWE‑862).

Affected Systems

The affected product is phpMyFAQ from the vendor thorsten. All releases older than 4.1.4 are vulnerable. This includes the 4.0.x series and any pre‑4.1.4 build that has the public API enabled.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending crafted HTTP requests to the POST /api/v4.0/category, POST /api/v4.0/faq, PUT /api/v4.0/faq, or POST /api/v4.0/question endpoints, provided they hold a functional shared API key. The attack requires only network access to the target application and does not rely on privileged user credentials. Given the moderate CVSS score, the risk is significant enough to warrant prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thorsten

phpMyFAQ

affected

Version	Status	Constraints
`< 4.1.4`	affected	—

No data.

Vendor Product Confidence Versions

Thorsten

Phpmyfaq

100%

Version	Status	Scheme	Platform
`[0,4.1.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade phpMyFAQ to version 4.1.4 or later, which applies the missing authorization checks to all write endpoints.
Limit the use of the shared API key by restricting its permissions or moving to user‑based API tokens that enforce role checks.
Re‑configure the application to disable or protect the public write endpoints, ensuring that only authenticated and authorized users can perform write operations.

Generated by OpenCVE AI on June 18, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/thorsten/phpMyFAQ/commit/d5c195b1ecf5dc30fb825d7eb50d22481c24cb07
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-8c6h-7g6x-m5x4

History

Fri, 19 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thorsten Thorsten phpmyfaq
Vendors & Products		Thorsten Thorsten phpmyfaq

Thu, 18 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this->userHasPermission(PermissionType::BACKUP). The same fix was not applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, rather than the individual user's role permissions. The following APIs are affected: POST /api/v4.0/category (CategoryController::create), POST /api/v4.0/faq (FaqController::create), PUT /api/v4.0/faq (FaqController::update), and POST /api/v4.0/question (QuestionController::create). This issue has been fixed in version 4.1.4.
Title		phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
Weaknesses		CWE-862
References		https://github.com/thorsten/phpMyFAQ/commit/d5c195b1ecf5dc30fb825d7eb50d22481c24cb07 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-8c6h-7g6x-m5x4
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Thorsten Phpmyfaq

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-18T21:12:34.764Z

Updated: 2026-06-18T21:12:34.764Z

Reserved: 2026-05-28T03:42:34.340Z

Link: CVE-2026-49205

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object