DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GP95-J463-VV28: GHSA-GP95-J463-VV28: Authentication Bypass via Insecure Default Token in phpMyFAQ REST API

#security #cve #cybersecurity #ghsa

GHSA-GP95-J463-VV28: Authentication Bypass via Insecure Default Token in phpMyFAQ REST API

Vulnerability ID: GHSA-GP95-J463-VV28
CVSS Score: 7.5
Published: 2026-05-20

phpMyFAQ contains an authentication bypass vulnerability within its REST API architecture introduced in version 4.0. The vulnerability stems from insecure default initialization of the API client token to an empty string, coupled with flawed comparative logic in the authentication controller. This allows unauthenticated remote attackers to bypass authorization checks and interact with administrative API endpoints.

TL;DR

An insecure default configuration in phpMyFAQ versions prior to 4.1.3 initializes the REST API token to an empty string. Unauthenticated attackers can bypass authentication and inject arbitrary content by supplying an empty x-pmf-token HTTP header.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Authentication Bypass
  • CWE ID: CWE-1188
  • CVSS Base Score: 7.5
  • Attack Vector: Network
  • Authentication Required: None
  • Integrity Impact: High
  • Exploit Status: PoC Available

Affected Systems

  • phpMyFAQ REST API v4.0
  • phpMyFAQ Core Backend
  • phpMyFAQ: >= 4.0.0, < 4.1.3 (Fixed in: 4.1.3)

Exploit Details

  • Research Context: Python PoC script demonstrating authentication bypass by supplying an empty x-pmf-token header.

Mitigation Strategies

  • Upgrade the software to a patched version
  • Manually define a secure API client token in configuration
  • Disable the REST API functionality if unused

Remediation Steps:

  1. Verify current phpMyFAQ version via the administration dashboard.
  2. If running version 4.0.x up to 4.1.2, download the 4.1.3 update package.
  3. Apply the update following the official phpMyFAQ upgrade documentation.
  4. Navigate to Configuration -> API in the admin panel and ensure the 'apiClientToken' contains a secure, random string.
  5. Alternatively, disable 'enableAccess' under API settings if REST features are unneeded.

References

Read the full report for GHSA-GP95-J463-VV28 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)