phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints | Advisories

Advisories

phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints

severity: medium
date: 5/15/2026
Affecting: phpmyfaq >= 4.1.1, < 4.1.2
CVE: CVE-2026-45009
CWE: CWE-863 Incorrect Authorization
CVSS: 4.3
References: GHSA Advisory GHSA-jrc5-w569-h7h5
Credit: kitu232
Description: phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo