Skip to main content

phpMyFAQ EUVDEUVD-2026-32902

| CVE-2026-35671 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-05-28 VulnCheck GHSA-xvp4-phqj-cjr3
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
May 28, 2026 - 17:01 EUVD
Analysis Updated
May 28, 2026 - 16:36 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 16:35 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 16:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
May 28, 2026 - 15:54 vuln.today
Analysis Generated
May 28, 2026 - 15:54 vuln.today

DescriptionCVE.org

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.

AnalysisAI

Privilege escalation in phpMyFAQ before 4.1.3 allows any authenticated low-privilege administrator to take over SuperAdmin (userId=1) or any other account by manipulating the userId parameter in the /admin/api/user/overwrite-password PUT request. The flaw is an insecure direct object reference (IDOR) in the Admin API where authorization checks confirm only that the caller holds the generic USER_EDIT permission, never that the caller is authorized to manage the targeted account. No public exploit identified at time of analysis, but the GHSA advisory from the vendor (thorsten) publicly documents the exact vulnerable code path, making weaponization trivial.

Technical ContextAI

phpMyFAQ is a popular open-source PHP-based FAQ management system maintained by Thorsten Rinne and distributed via Composer (composer/thorsten/phpmyfaq and composer/phpmyfaq/phpmyfaq, per CPE cpe:2.3:a:thorsten:phpmyfaq). The root cause maps to CWE-266 (Incorrect Privilege Assignment): in phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/UserController.php (lines 232-271), the overwritePassword() method calls userHasUserPermission() - which only verifies the generic USER_EDIT capability - and then trusts the client-supplied userId from the JSON body to select which account's password to reset. CSRF is verified, but no horizontal or vertical authorization check confirms the caller is allowed to manage the targeted user or that the target's privilege level is equal or lower than the caller's, so a low-tier admin can pivot to userId=1 (SuperAdmin).

RemediationAI

Vendor-released patch: upgrade phpMyFAQ to version 4.1.3 or later via Composer (thorsten/phpmyfaq or phpmyfaq/phpmyfaq), per GHSA-xvp4-phqj-cjr3 (https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-xvp4-phqj-cjr3). If immediate upgrade is not possible, restrict network access to the /admin path (for example via a reverse proxy ACL, IP allowlist, or VPN-only access) so that only trusted operators can reach the admin API surface - this prevents exploitation but blocks remote admin workflows for legitimate users. As an additional compensating control, audit and reduce the number of accounts holding the USER_EDIT permission and rotate all admin and SuperAdmin passwords after patching, since prior compromise of any admin account is sufficient to have already pivoted to SuperAdmin; note that password rotation alone does not remediate the bug, only upgrading does. Additional context is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/phpmyfaq-insecure-direct-object-reference-in-user-password-api.

CVE-2023-5865 CRITICAL POC
9.8 Oct 31

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. Rated critical severity (CVSS 9.8

CVE-2023-1886 CRITICAL POC
9.8 Apr 05

Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2026-46364 CRITICAL POC
9.3 May 15

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and

CVE-2017-15730 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. Rated high severity (CVS

CVE-2017-15808 HIGH POC
8.8 Oct 23

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2017-15735 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. Rated high severity (CVSS

CVE-2017-15734 HIGH POC
8.8 Oct 22

In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. Rated high severity (CVSS 8

CVE-2024-28107 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2024-27299 HIGH POC
8.8 Mar 25

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated high severi

CVE-2023-1762 HIGH POC
8.8 Mar 31

Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated high severity (CVSS 8.8), th

Share

EUVD-2026-32902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy