Skip to main content

phpMyFAQ CVE-2026-45009

| EUVDEUVD-2026-30592 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-15 VulnCheck GHSA-9r8r-x3vg-6xh4
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 16:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Patch available
May 15, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 15, 2026 - 19:37 vuln.today
Analysis Generated
May 15, 2026 - 19:37 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.

AnalysisAI

Authorization bypass in phpMyFAQ versions before 4.1.2 allows authenticated frontend users to access admin-only API endpoints and retrieve sensitive backend configuration data. The vulnerability stems from admin-api routes checking only login status (isLoggedIn) without verifying administrative privileges, enabling any valid user account to query dashboard versions, LDAP configuration details, Elasticsearch statistics, and health-check data. While this is an information disclosure issue rather than direct write access, it exposes internal infrastructure details useful for reconnaissance. The low CVSS score (4.3) reflects limited confidentiality impact, but defenders should prioritize remediation in environments where backend configuration exposure aids broader attack campaigns. Vendor patch available in version 4.1.2.

Technical ContextAI

phpMyFAQ is an open-source FAQ management system written in PHP. The vulnerability affects the authorization architecture in the Administration\Api controller namespace. The codebase implements two distinct access control methods in controller base classes: userIsAuthenticated() verifies only login status, while userHasPermission() performs role-based privilege checking. Multiple admin-api controllers (DashboardController, LdapController, ElasticsearchController, OpenSearchController, UpdateController) incorrectly use the weaker userIsAuthenticated() check despite serving administrative functions. This maps to CWE-863 (Incorrect Authorization), where authentication is present but insufficient for the sensitivity level of the resource. The affected endpoints use Symfony-style routing attributes with paths like '/admin/api/index.php/dashboard/versions', clearly indicating administrative intent. The CPE string cpe:2.3:a:thorsten:phpmyfaq identifies Thorsten Rinne as the vendor namespace. Both composer packages (thorsten/phpmyfaq and phpmyfaq/phpmyfaq) prior to 4.1.2 contain the flaw, with version 4.1.1 explicitly confirmed vulnerable.

RemediationAI

Upgrade immediately to phpMyFAQ version 4.1.2, which implements proper authorization checks in admin-api controllers by replacing userIsAuthenticated() calls with appropriate userHasPermission() role verification. Update via composer with 'composer update thorsten/phpmyfaq' or 'composer update phpmyfaq/phpmyfaq' depending on package namespace in use. Verify the patch by testing that regular user accounts can no longer access /admin/api/index.php/dashboard/versions or other admin endpoints (should return 401/403). If immediate patching is not feasible, implement compensating controls: (1) Apply web application firewall rules to block /admin/api/ paths for non-administrative source IPs, noting this breaks legitimate admin remote access and requires IP allowlisting; (2) Disable user registration if the FAQ system does not require public accounts, reducing attacker account acquisition; (3) Segment phpMyFAQ network access so that even with exposed LDAP/Elasticsearch configuration, attackers cannot reach those backend systems from the web tier. Monitor authentication logs for unusual patterns of admin-api endpoint access by non-privileged accounts. Full advisory and patch details: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2026-45009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy