HIGH 8.8

CVE-2026-35671

phpMyFAQ versions before 4.1.3 contain a privilege escalation vulnerability in the admin password management API. An authenticated administrator with low-level privileges can manipulate API requests to reset any user's password, including SuperAdmin accounts, bypassing normal authorization checks. This allows attackers to seize full control of the FAQ system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-266
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35671 is an Insecure Direct Object Reference (IDOR) vulnerability in phpMyFAQ's admin API password endpoint. The overwrite-password function fails to verify that the requesting administrator has authorization to modify the target user's credentials. By tampering with the userId parameter, a low-privilege admin can change SuperAdmin passwords, achieving full privilege escalation. The vulnerability affects all versions prior to 4.1.3.

Business impact

A compromised FAQ system can disrupt knowledge management operations and customer support functions. More critically, successful exploitation grants attackers administrative control, enabling defacement, data theft, user account compromise, and lateral movement within connected infrastructure. Organizations using phpMyFAQ for customer-facing documentation face reputational risk and potential compliance violations if user data is accessed or modified.

Affected systems

phpMyFAQ installations prior to version 4.1.3 are vulnerable. The vulnerability requires valid administrator credentials to exploit, limiting the immediate attack surface to environments where admin account compromise or insider threats are plausible. Organizations running current or patched versions are not affected.

Exploitability

Exploitation requires low-level administrator access, making this a post-authentication attack. No user interaction is needed once authenticated. An attacker can programmatically craft API requests to reset SuperAdmin passwords with minimal technical overhead. The attack is reliable and leaves minimal forensic traces if logging is not configured. The relatively straightforward exploitation mechanism and high privilege reward make this attractive to both insider threats and attackers who have compromised a standard admin account.

Remediation

Upgrade phpMyFAQ to version 4.1.3 or later, which implements proper authorization verification on the password change endpoint. Organizations unable to patch immediately should restrict admin API access via network segmentation, enforce strong password policies to reduce likelihood of admin account compromise, and increase monitoring of password change activities.

Patch guidance

Apply phpMyFAQ 4.1.3 or later. Verify the patch against the official phpMyFAQ release notes and advisory documentation. Test patches in a non-production environment before deployment. After patching, rotate all administrator passwords as a precautionary measure, since any historical admin access may have been abused.

Detection guidance

Monitor API audit logs for repeated failed or successful overwrite-password requests, particularly those originating from unusual source IPs or executed by lower-privilege admins. Look for password change requests followed by immediate administrative activity from new accounts. Configure alerting on any password modifications to SuperAdmin or high-privilege accounts. Correlation of API requests with user authentication logs can reveal abuse patterns.

Why prioritize this

This vulnerability scores 8.8 (HIGH severity) and enables full system compromise via privilege escalation. Although it requires authenticated access, the barrier is low—compromise of a single standard admin account leads to complete takeover. Organizations should prioritize patching within their standard critical update cycles, especially if their phpMyFAQ instances are internet-facing or support high-value business processes.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability (C:H, I:H, A:H), network-based attack vector (AV:N), and low attack complexity (AC:L). The primary limiting factor is the requirement for prior authentication (PR:L), which prevents a zero-day remote takeover scenario but does not significantly reduce risk in environments where admin credentials are at moderate risk of compromise.

Frequently asked questions

Do I need admin credentials to exploit this vulnerability?

Yes. The attacker must already have valid phpMyFAQ administrator credentials, typically obtained through credential compromise, insider threat, or weak password practices. Standard users cannot exploit this vulnerability.

If I upgrade to 4.1.3, do I need to take additional steps?

After upgrading, rotate all administrator passwords, particularly those of low-privilege admins. Review recent password change audit logs for any suspicious modifications to SuperAdmin accounts that may have occurred prior to patching.

Are there workarounds if I cannot patch immediately?

Network-level access controls and VPN requirements for admin API endpoints can reduce risk. Additionally, monitor authentication logs and password change events closely. However, these are mitigations only—upgrading is the definitive fix.

Could this vulnerability allow an attacker to access FAQ content or user data?

The direct impact is administrative account compromise. Once an attacker gains SuperAdmin access, they can then access, modify, or delete any data within phpMyFAQ, including user information and FAQ content.

This analysis is provided for informational purposes to support security decision-making. Verify all technical details, patch availability, and version information against official phpMyFAQ vendor advisories and release notes. Security teams should test patches in controlled environments before production deployment. SEC.co does not provide legal, compliance, or vendor-specific support; consult your organization's security and legal teams for policy guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2025-15656HIGH

    CVE-2025-15656: Privilege Escalation in Mojoomla School Management – Patch Guidance & Detection

  • CVE-2026-10236HIGH

    CVE-2026-10236: SourceCodester Water Billing System Improper Authorization Vulnerability (CVSS 7.3)

  • CVE-2026-10070MEDIUM

    CVE-2026-10070: macrozheng mall Admin Authorization Bypass in /admin/update/

  • CVE-2026-10152MEDIUM

    CVE-2026-10152: Improper Access Control in TaleLin lin-cms-spring-boot Book Endpoint

  • CVE-2026-10215MEDIUM

    CVE-2026-10215: Dolibarr Leave Request API Authorization Bypass

  • CVE-2026-10217MEDIUM

    CVE-2026-10217: GoClaw Privilege Escalation in RoleAdmin Gateway (CVSS 6.3)

  • CVE-2026-10218MEDIUM

    CVE-2026-10218: GoClaw Improper Authorization Vulnerability (CVSS 5.4)

  • CVE-2026-10255MEDIUM

    CVE-2026-10255: Pharmacy Sales System Authentication Bypass – SourceCodester 1.0