CVE-2026-24421
published 2026-01-24CVE-2026-24421: phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any…
PriorityP351medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
1.73%
74.8th percentile
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpmyfaq | phpmyfaq | < 4.0.17 | 4.0.17 |
| phpmyfaq | phpmyfaq | >= 0 < 4.1.4 | 4.1.4 |
| phpmyfaq | phpmyfaq | >= 0 < 4.0.17 | 4.0.17 |
| thorsten | phpmyfaq | < 4.1.4 | 4.1.4 |
| thorsten | phpmyfaq | >= 0 < 4.1.4 | 4.1.4 |
| thorsten | phpmyfaq | >= 0 < 4.0.17 | 4.0.17 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ghsa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
ghsa·2026-06-23·CVSS 6.5
CVE-2026-49205 [MEDIUM] CWE-862 phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermission(PermissionType::BACKUP). The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken() (shared API key) but never call userHasPermission(), allowing any API token holder to perform admin operations regardless of their user permissions.
## Summary
CVE-2026-24421 fixed BackupController by adding: $this->userHasPermission(PermissionType::BACKUP);
The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, NOT the individual user's role permissio
OSV
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
osv·2026-01-23
CVE-2026-24421 [MEDIUM] phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
### Summary
Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.
### Details
SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.
### PoC
Precondition: API enabled, any authenticated non‑admin user.
- Log in as a non‑admin user.
- Call backup endpoint.
```
curl -c /tmp/pmf_api_cookies.txt \
-H 'Content-Type: application/json' \
-d '{"username":"tester","password":"Test1234!"}' \
http://192.168.40.16/phpmyfaq/api/v3.0/l
GHSA
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
ghsa·2026-01-23
CVE-2026-24421 [MEDIUM] CWE-285 phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
### Summary
Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.
### Details
SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.
### PoC
Precondition: API enabled, any authenticated non‑admin user.
- Log in as a non‑admin user.
- Call backup endpoint.
```
curl -c /tmp/pmf_api_cookies.txt \
-H 'Content-Type: application/json' \
-d '{"username":"tester","password":"Test1234!"}' \
http://192.168.40.16/phpmyfaq/api/v3.0/l
No detection rules found.
2026-01-24
Published