Security Advisory · Published 2026-05-29

phpMyFAQ: Four Ways to Own Your FAQ System Without a Password

I just read through four separate security advisories for phpMyFAQ and I'm genuinely surprised this software still exists in production anywhere. Four CVEs dropped on the same day, all in versions before 4.1.3, and together they paint a picture so bad I need to walk you through it: an attacker with zero credentials can reset any user's password, escalate to SuperAdmin, and take complete control of your FAQ system — and anything connected to it. No exploit kit required. Just a few HTTP requests.

The four CVEs at a glance

CVECVSSWhat it doesAuth needed?
CVE-2026-356758.8Password reset without token verificationNo
CVE-2026-356768.8Force password change via API (no validation)No
CVE-2026-356728.7Authentication bypass in password updateNo
CVE-2026-356718.8IDOR: low-privilege admin → SuperAdminLow-priv admin

Chain them together and you get: enumerate users → reset password without email confirmation → log in as admin → escalate to SuperAdmin via IDOR. Complete takeover in under 60 seconds.

CVE-2026-35675: Password reset with no token

The password reset endpoint doesn't verify the reset token. Read that again. The entire point of a password reset token is to prove that the person requesting the reset owns the email address. phpMyFAQ just... doesn't check it. You send a PUT to /api/index.php/user/password/update with a username and new password, and it works. No token. No email confirmation. Nothing.

Operational impact: An attacker enumerates usernames (phpMyFAQ's login error messages helpfully confirm whether a username exists), then resets the admin password to whatever they want. The real admin gets no notification. They just can't log in anymore.

CVE-2026-35676: Force password change via API

Same endpoint, different angle. This one lets you change passwords for any account by sending username + email pairs. The API doesn't validate the request origin, doesn't require the old password, doesn't send a confirmation. It just changes it.

Operational impact: Mass account lockout. An attacker can enumerate every user and reset all passwords simultaneously, locking out your entire team.

CVE-2026-35672: Auth bypass in password update

Yet another variant of the same broken endpoint. The authentication check on the password update API can be bypassed entirely. Treat the user management API as untrusted until the fixed version is installed.

CVE-2026-35671: IDOR escalation to SuperAdmin

Once you're in (which is trivial via the above), this one lets a low-privilege admin change any user's password by modifying the userId parameter in the overwrite-password API call. No authorization verification. A low-privilege admin can become SuperAdmin through the vulnerable API call.

Am I affected?

You're affected if:

  • You run phpMyFAQ in any version before 4.1.3
  • Your instance is accessible from the internet (even behind basic auth — if the API is reachable, you're vulnerable)

Check right now — 60 seconds

# Find phpMyFAQ installations:
find / -name "phpmyfaq" -type d 2>/dev/null
find / -path "*/phpmyfaq/src/Bootstrap.php" 2>/dev/null

# Check version:
grep -r "VERSION" /path/to/phpmyfaq/src/Bootstrap.php 2>/dev/null | grep -i "const"

# Or check the admin footer:
curl -s https://your-faq-domain.com/admin/ | grep -i "phpmyfaq\|version"

# Check if the vulnerable API endpoint is reachable:
curl -s -o /dev/null -w "%{http_code}" https://your-faq-domain.com/api/index.php/user/password/update

If that last command returns anything other than 404, the endpoint exists and you need to act.

Check for exploitation

# Look for suspicious password reset activity in logs:
grep -i "password/update\|overwrite-password" /var/log/apache2/access.log /var/log/nginx/access.log 2>/dev/null | tail -30

# Check for PUT requests to the user API:
grep "PUT.*api.*user" /var/log/apache2/access.log /var/log/nginx/access.log 2>/dev/null | tail -20

# Check phpMyFAQ admin log (if enabled):
find / -path "*phpmyfaq*" -name "*.log" -exec grep -li "password\|admin" {} \; 2>/dev/null

# Look for admin accounts created recently:
# (Check your phpMyFAQ database directly)
mysql -u root -p -e "SELECT id, login, last_login FROM faquser WHERE auth_source='local' ORDER BY last_login DESC LIMIT 10;" your_faq_db

What to do right now

🔴 Right now — 5 minutes

# Block the vulnerable API endpoints at the web server level:
# For Apache (.htaccess in phpMyFAQ root):
echo '
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^api/index\.php/user/password - [F,L]
</IfModule>' >> /path/to/phpmyfaq/.htaccess

# For Nginx (add to server block):
# location ~* /api/index\.php/user/password {
#     deny all;
#     return 403;
# }

🟡 Today — 30 minutes

# Update phpMyFAQ to 4.1.3+:
cd /path/to/phpmyfaq
# Download latest from https://www.phpmyfaq.de/download
# Follow their upgrade guide

# Force reset ALL admin passwords after update:
# Log in as SuperAdmin → Admin → User Management → reset every account

# Enable audit logging if not already on

🟢 This week — harden

  • Put admin behind IP whitelist/admin/ and /api/ should only be reachable from your office IP
  • Enable 2FA — phpMyFAQ 4.x supports TOTP. Turn it on for all admin accounts
  • Rate limit the API — No legitimate user sends 50 password reset requests per minute
  • Consider alternatives — If your FAQ system has 4 auth bypasses in one release, maybe it's time to evaluate other options (GitBook, Notion public pages, or a static site generator)

Why this matters

phpMyFAQ is used by companies, government agencies, and educational institutions to host internal and external FAQ/knowledge base systems. These systems often contain sensitive internal procedures, customer data references, and are integrated with other internal tools. A compromised FAQ system isn't just embarrassing — it's a pivot point into your network.

Four authentication bypasses in one release tells me the codebase has systemic access control issues. Even after patching, I'd recommend a thorough audit of any phpMyFAQ instance you run.

Need help?

If you found suspicious API calls in your logs, or you're not sure if your phpMyFAQ instance has been compromised, Ping7 can check for unauthorized access, verify all accounts, and lock the instance down properly.

  • Quick security check: $49 - verify your instance and patch it
  • Full incident response: $299 if you've been compromised

Request CVE repair

References