CVE-2026-45009
MEDIUMphpMyFAQ - Insufficient Authorization Check in Admin API Endpoints
Title source: cnaDescription
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-jrc5-w569-h7h5
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5
Third Party Advisory third-party-advisory
VulnCheck Advisory: phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints
https://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-in-admin-api-endpoints
Scores
CVSS v3
4.3
EPSS
0.0017
EPSS Percentile
6.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (6)
phpMyFAQ/phpMyFAQ
0 - 4.1.2Packagist
phpmyfaq/phpmyfaq
4.1.1 - 4.1.2Packagist
thorsten/phpMyFAQ
0 - 4.1.2Packagist
thorsten/phpmyfaq
4.1.1 - 4.1.2
thorsten/phpmyfaq
4.1.1 - 4.1.2Packagist
thorsten/phpmyfaq
4.1.2
Published
May 15, 2026
Tracked Since
May 16, 2026