phpMyFAQ: The 'Backup for Everyone' Feature You Didn't Ask For
Vulnerability ID: CVE-2026-24421
CVSS Score: 6.5
Published: 2026-01-23
A critical authorization failure in phpMyFAQ allows any low-privileged authenticated user to trigger and potentially retrieve full system configuration backups, exposing database credentials and sensitive system data.
TL;DR
In phpMyFAQ <= 4.0.16, the developers confused authentication with authorization. If you can log in—even as a lowly intern—you can hit the /api/setup/backup endpoint. This triggers a full system backup, wrapping up the database configuration (and its credentials) into a nice little ZIP file for you to steal.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862 (Missing Authorization)
- CVSS v3.1: 6.5 (Medium)
- Attack Vector: Network (API)
- Privileges Required: Low (Authenticated User)
- Impact: Confidentiality (High), Availability (Low)
- Exploit Status: PoC Available
Affected Systems
- phpMyFAQ <= 4.0.16
-
phpMyFAQ: <= 4.0.16 (Fixed in:
4.0.17)
Exploit Details
- Manual Analysis: Exploit involves sending a POST request to /api/setup/backup with a valid session cookie.
Mitigation Strategies
- Implement Role-Based Access Control (RBAC) on all API endpoints.
- Restrict web access to sensitive directories containing backup files.
- Rate limit resource-intensive endpoints like backup generation.
Remediation Steps:
- Upgrade phpMyFAQ to version 4.0.17 or higher.
- Verify that 'SetupController.php' includes 'checkPermission' calls for the backup action.
- Configure the web server to deny access to the /api/setup/backup endpoint for untrusted IPs.
References
Read the full report for CVE-2026-24421 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)