CVE-2026-24420: When isset() Becomes a Backdoor in phpMyFAQ
Vulnerability ID: CVE-2026-24420
CVSS Score: 6.5
Published: 2026-01-23
A logic flaw in phpMyFAQ's permission system allows authenticated users to download attachments they explicitly shouldn't have access to, thanks to a misuse of PHP's isset() function and flawed boolean algebra.
TL;DR
phpMyFAQ v3.2.x and early 4.x contains a Broken Access Control vulnerability. The application checks if a permission key exists rather than if it is true, and prioritizes group permissions over user restrictions. This allows any authenticated user to download restricted attachments.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-284 / CWE-862
- CVSS v3.1: 6.5 (Medium)
- Attack Vector: Network (Authenticated)
- Impact: Confidentiality Loss
- Privileges Required: Low (Any valid user)
- Exploit Status: PoC Available
Affected Systems
- phpMyFAQ
-
phpMyFAQ: <= 3.2.13 (Fixed in:
3.2.14)
Code Analysis
Commit: b2e4f6a
Fix permission check in attachment.php
- if (($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment'])) {
+ if (($groupPermission && $userPermission) && !empty($permission['dlattachment']) && $permission['dlattachment'] === true) {
Exploit Details
- Internal Research: The PoC is trivial: authentication followed by a direct GET request to the attachment endpoint.
Mitigation Strategies
- Upgrade to phpMyFAQ v3.2.14 or later.
- Manually patch
attachment.phpto replaceisset()with value checks. - Disable the attachment functionality entirely via configuration if patching is not possible.
Remediation Steps:
- Backup your phpMyFAQ database and files.
- Download the latest release from the official phpMyFAQ repository.
- Replace the application files with the new version.
- Verify the fix by attempting to download an attachment with a restricted user account.
References
Read the full report for CVE-2026-24420 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)