phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint | Advisories

Advisories

phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint

severity: critical
date: 5/15/2026
Affecting: phpmyfaq >= 0, < 4.1.2
CVE: CVE-2026-45010
CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts
CVSS: 9.1
References: GHSA Advisory GHSA-9pq7-mfwh-xx2j
Credit: adrgs, aisafe-bot
Description: phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by submitting POST requests with sequential token values, bypassing two-factor authentication to gain full administrative access.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo