DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-49205: CVE-2026-49205: Missing Authorization in phpMyFAQ Public REST API Write Endpoints

#security #cve #cybersecurity

CVE-2026-49205: Missing Authorization in phpMyFAQ Public REST API Write Endpoints

Vulnerability ID: CVE-2026-49205
CVSS Score: 6.5
Published: 2026-06-23

An incomplete security patch for CVE-2026-24421 in phpMyFAQ allows authenticated low-privileged users to bypass role-based access controls. While the initial patch addressed missing authorization in the BackupController, it left four critical write-enabled endpoints vulnerable. This allows remote attackers with a valid low-privilege API token to perform unauthorized data modifications, creating categories, creating FAQs, updating FAQs, and injecting questions directly into the database.

TL;DR

An incomplete fix for CVE-2026-24421 in phpMyFAQ leaves four REST API endpoints vulnerable to missing authorization, enabling low-privileged authenticated users to modify categories, FAQs, and system questions without the required role permissions.

Technical Details

  • CWE ID: CWE-862: Missing Authorization
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5 (Medium)
  • Exploit Maturity: None / Unproven
  • EPSS Score: 0.0024
  • KEV Status: Not Listed

Affected Systems

  • phpMyFAQ open-source FAQ web application
  • phpMyFAQ: < 4.1.4 (Fixed in: 4.1.4)

Code Analysis

Commit: d5c195b

fix: enforce user permissions on public API write endpoints

@@ -181,6 +182,7 @@ public function list(): JsonResponse
     public function create(Request $request): JsonResponse
     {
         $this->hasValidToken();
+        $this->userHasPermission(PermissionType::CATEGORY_ADD);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade phpMyFAQ to version 4.1.4 or higher.
  • Implement a manual code-level patch to enforce role validation on all public REST API write endpoints.
  • Deploy WAF rules to restrict POST and PUT requests to public API controllers based on user roles.

Remediation Steps:

  1. Download phpMyFAQ version 4.1.4 from the official repository.
  2. Apply database and application updates following the standard phpMyFAQ upgrade documentation.
  3. Validate API security policies by attempting a write request using a low-privileged API token.

References

Read the full report for CVE-2026-49205 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)