HIGH 7.5

CVE-2026-35672

phpMyFAQ versions before 4.1.3 have a critical flaw in their API that allows anyone on the network to create and modify FAQ entries without logging in. The vulnerability exists because the system accepts an empty authentication token by default, meaning attackers can submit requests with no valid credentials and the API will process them anyway. This permits unauthorized content injection into your knowledge base, potentially spreading misinformation, malware links, or defacement across your FAQ system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-1188
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35672 is an authentication bypass in phpMyFAQ's API v4.0 layer affecting versions prior to 4.1.3. The vulnerability stems from improper token validation where an empty api.apiClientToken is treated as valid. Attackers bypass the x-pmf-token header check by sending an empty value, gaining write access to sensitive endpoints: /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question. The flaw is classified under CWE-1188 (Initialization with Hard-Coded Network Resource Configuration Data), reflecting the reliance on a default, non-restrictive token state. The CVSS 3.1 score of 7.5 (HIGH) reflects high integrity impact with network-accessible attack surface, no privilege escalation required, and no user interaction needed.

Business impact

Compromise of FAQ content represents a reputational and operational risk. Attackers can inject false information into customer-facing documentation, degrade user trust, or embed malicious links that redirect users to phishing or malware distribution sites. For organizations using phpMyFAQ as a customer support or internal knowledge hub, unauthorized modification can cause support team inefficiency, customer confusion, and potential compliance violations if FAQ data contains regulated content (PII, security guidance, compliance statements). The attack requires no sophistication and leaves audit trails vulnerable if logging is not independently secured.

Affected systems

phpMyFAQ prior to version 4.1.3 is affected. Organizations running any prior release should assume exposure if their phpMyFAQ instance is accessible via network (internet-facing or internal network with API exposure). Assess your deployment: check the installed version via the phpMyFAQ admin panel or source inspection. This impacts both on-premises installations and any managed hosting scenarios where the FAQ system is internet-reachable.

Exploitability

Exploitability is trivial. No authentication, no special tools, no user interaction, and no complex configuration required. An attacker needs only HTTP client capabilities to craft POST requests to the affected endpoints with an empty x-pmf-token header. The attack surface is large: any network path to the API is sufficient. No CISA KEV listing exists at this time, but the low barrier to exploitation and high availability of phpMyFAQ installations mean practical exploitation risk is substantial. Automated scanning for vulnerable instances is feasible.

Remediation

Upgrade phpMyFAQ to version 4.1.3 or later immediately. This patch rectifies token validation logic to reject empty tokens and enforce proper API authentication. If immediate upgrade is not feasible, apply compensating controls: restrict API endpoint access at the network layer (firewall, reverse proxy, WAF rules) to trusted IP ranges; implement rate limiting on API endpoints; enable and monitor API access logs for anomalous POST activity to /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question; and regenerate any default API tokens and rotate credentials.

Patch guidance

Verify your current phpMyFAQ version in the admin settings or via the source tree. Download version 4.1.3 or later from the official phpMyFAQ repository and follow the vendor's upgrade guide. Test the patch in a non-production environment first to confirm compatibility with existing FAQ data and any customizations. After upgrade, confirm API token validation is functioning by attempting an unauthenticated request to the affected endpoints—it should be rejected. Consult the official phpMyFAQ release notes for version 4.1.3 to confirm the specific changes addressing this vulnerability.

Detection guidance

Monitor API access logs for POST requests to /api/v4.0/faq/create, /api/v4.0/category, or /api/v4.0/question with empty or missing x-pmf-token headers. Search for successful (HTTP 200–201) responses to these endpoints without valid authentication context. Implement WAF rules to flag or block POST requests to these endpoints lacking a non-empty x-pmf-token header. Review FAQ creation/modification audit logs for entries created outside normal business hours or by unrecognized users. If running a vulnerable version, treat any FAQ changes created after the vulnerability publication date (2026-05-28) as potentially malicious until verified.

Why prioritize this

Despite not yet appearing on CISA's KEV catalog, this vulnerability merits immediate prioritization due to: (1) zero authentication required, (2) network-accessible attack surface, (3) trivial exploitation complexity, (4) integrity-focused impact (content tampering), and (5) likely widespread deployment of phpMyFAQ in customer support environments. Organizations should treat this as a high-priority patch candidate similar to KEV-listed items. Delay increases the window for opportunistic exploitation or mass scanning.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects a HIGH severity: Network-accessible (AV:N), no special conditions required (AC:L), no privilege or authentication needed (PR:N/UI:N), and significant integrity impact (I:H) with no confidentiality or availability impact. The score appropriately captures the real-world risk of widespread content injection across a customer-facing or internal knowledge base without requiring attacker sophistication.

Frequently asked questions

Can this vulnerability be exploited if our phpMyFAQ instance is behind a firewall or internal network?

Yes. Any network path to the API—whether internal or external—permits exploitation. The vulnerability requires only HTTP access to the API endpoints; it does not depend on public internet exposure. Internal-only deployments are still at risk from insider threats or compromised internal systems.

What happens if I deploy a WAF rule blocking empty x-pmf-token headers as a temporary workaround?

This mitigates the immediate risk while you plan an upgrade. However, it is a band-aid: legitimate API clients that rely on proper token injection may be affected if misconfigured. A WAF rule should complement, not replace, the upgrade to 4.1.3. Verify that your API clients are configured to send valid tokens after implementing such rules.

Do I need to rotate API credentials if I was running a vulnerable version?

Yes. If your FAQ instance was exposed to the internet or accessible via an untrusted network during the vulnerability window (before patching), assume potential compromise and regenerate all API tokens. Audit FAQ entries for unexpected modifications and restore from a pre-vulnerability backup if tampering is detected.

Will updating to 4.1.3 affect existing FAQ content or API integrations?

The patch fixes authentication validation and should not alter FAQ data or break legitimate API integrations using proper credentials. However, test in a staging environment first. Any integrations or scripts sending empty tokens will fail after the upgrade—those must be reconfigured with valid API tokens.

This analysis is based on published vulnerability data as of the information cutoff. Verify all patch version numbers, affected product lists, and remediation steps against official phpMyFAQ vendor advisories and release notes. CVSS scores and KEV status reflect the state of public databases at publication; check NIST NVD and CISA KEV for the latest status. SEC.co provides this information for informational purposes to support security decision-making; it does not constitute legal or compliance advice. Test all patches and compensating controls in non-production environments before deployment. Organizations should conduct their own risk assessment based on their specific phpMyFAQ deployment, exposure, and business context. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-36612MEDIUM

    CVE-2026-36612: Mercusys AC12G Weak WPS Lockout Policy Enables Router Compromise

  • CVE-2026-36616MEDIUM

    CVE-2026-36616: Mercusys AC12G Hardcoded WiFi Credentials Vulnerability

  • CVE-2018-25382HIGH

    CVE-2018-25382: Zechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access

  • CVE-2018-25383HIGH

    CVE-2018-25383: Free MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk

  • CVE-2018-25385HIGH

    CVE-2018-25385: Unauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10

  • CVE-2018-25386HIGH

    CVE-2018-25386: SQL Injection in HaPe PKH 1.1 Admin Interface

  • CVE-2018-25388HIGH

    CVE-2018-25388: HaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)

  • CVE-2018-25389HIGH

    CVE-2018-25389: SQL Injection in HaPe PKH 1.1 Database Extraction