Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.
AnalysisAI
Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.
Technical ContextAI
phpMyFAQ is a widely deployed open-source PHP FAQ management system (CPE cpe:2.3:a:thorsten:phpmyfaq) maintained by Thorsten Rinne. The defect maps to CWE-1188 (Insecure Default Initialization of a Resource): the installer's DefaultDataSeeder.php seeds the api.apiClientToken configuration value with an empty string, and AbstractController::hasValidToken() uses a strict ! comparison against the inbound x-pmf-token HTTP header. Because '' ! '' evaluates false, the default empty token both satisfies the comparison and bypasses the only authentication guard protecting POST /api/v4.0/faq/create, PUT /api/v4.0/faq/update, POST /api/v4.0/category, and POST /api/v4.0/question - endpoints the OpenAPI annotations explicitly mark as authenticated.
RemediationAI
Vendor-released patch: upgrade phpMyFAQ to 4.1.3 or later, which corrects the seeded default and the comparison logic per the GHSA-gp95-j463-vv28 advisory (https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gp95-j463-vv28). If immediate upgrade is not possible, set api.apiClientToken to a long random secret in the admin configuration so the strict comparison no longer accepts an empty header - this is the lowest-impact workaround and breaks only existing API clients that were relying on the (insecure) empty token. Alternatively, block POST /api/v4.0/faq/create, PUT /api/v4.0/faq/update, POST /api/v4.0/category, and POST /api/v4.0/question at the reverse proxy or WAF, or disable the REST API entirely by setting api.enableAccess to false; both options disable legitimate API-driven content management until reverted.
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th
Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi
Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32903
GHSA-gp95-j463-vv28