HIGH 8.2

CVE-2026-35676

phpMyFAQ versions before 4.1.3 contain a critical flaw that allows anyone on the internet to reset user account passwords without authentication. An attacker can enumerate valid usernames and email addresses, then forcibly change passwords by sending direct API requests. This bypasses normal security controls and immediately locks legitimate users out of their accounts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Weaknesses (CWE)
CWE-640
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35676 is an unauthenticated password reset vulnerability in phpMyFAQ's user password update API endpoint (/api/index.php/user/password/update). The vulnerability stems from missing token validation on PUT requests to this endpoint, classified under CWE-640 (Weak Password Recovery Mechanism). Attackers can enumerate valid username-email combinations and trigger immediate password changes without possessing any credentials or session tokens, resulting in account disruption and credential invalidation for legitimate users.

Business impact

This vulnerability poses an immediate threat to availability and account integrity for any organization running phpMyFAQ. Attackers can systematically lock out users by changing passwords, effectively denying access to FAQ systems and disrupting support operations. The ease of exploitation and absence of authentication requirements mean threat actors can scale attacks across multiple user accounts simultaneously. Organizations dependent on phpMyFAQ for knowledge management or customer support will face operational disruption until accounts are recovered.

Affected systems

phpMyFAQ versions prior to 4.1.3 are vulnerable. Organizations running phpMyFAQ should immediately identify their deployed version number and compare it against the 4.1.3 release threshold. Both on-premises and self-hosted installations are affected. This vulnerability has not been flagged for active KEV exploitation at this time, though the low technical barrier to exploitation suggests monitoring for in-the-wild activity is warranted.

Exploitability

This vulnerability is straightforward to exploit. The attack requires only network access to the API endpoint and can be executed with basic HTTP tools. No authentication, session tokens, or user interaction is required. An attacker can automate enumeration and password reset operations, making this a high-volume attack vector. The CVSS 3.1 score of 8.2 (HIGH severity) reflects the combination of zero prerequisites for exploitation and significant impact on account integrity.

Remediation

Upgrade phpMyFAQ to version 4.1.3 or later, which addresses the token validation vulnerability. Verify the upgrade is complete by confirming the new version number in the application settings. No workarounds exist for this vulnerability short of restricting API endpoint access at the network layer, which may break legitimate functionality.

Patch guidance

Download and apply phpMyFAQ 4.1.3 or a later stable release from the official phpMyFAQ project. Follow the vendor's documented upgrade procedure carefully, including backup of the current installation and database. Test the password reset functionality post-upgrade to confirm token validation is now enforced. If running a load-balanced or multi-instance environment, ensure all instances are updated simultaneously to prevent inconsistent security posture.

Detection guidance

Monitor API logs for unusual PUT requests to /api/index.php/user/password/update, particularly from external IP addresses or in high frequency from single sources. Inspect request patterns for multiple distinct username-email combinations being targeted in short time windows, which may indicate enumeration and mass reset attempts. Alert on successful password changes that were not preceded by user-initiated password reset requests or legitimate administrative actions. Review user access logs for unexpected account lockouts or access failures correlated with these API calls.

Why prioritize this

Prioritize patching immediately. The vulnerability requires no authentication, exploits a foundational security control (password reset), and causes direct harm to account availability. The low attack complexity and complete absence of access barriers make this highly attractive to opportunistic attackers. Even organizations with smaller phpMyFAQ deployments should treat this as urgent due to the potential for rapid, automated exploitation at scale.

Risk score, explained

The CVSS 3.1 score of 8.2 reflects a network-accessible vulnerability with low attack complexity and no authentication requirement (AV:N/AC:L/PR:N). Impact is rated as high integrity compromise and low confidentiality risk. The vulnerability does not directly compromise system availability, hence the 'N' in the A vector, but the ability to force password changes constitutes a severe integrity violation with operational consequences. The HIGH severity assignment is appropriate given the minimal barriers to exploitation.

Frequently asked questions

How can we determine if we're running a vulnerable version?

Check your phpMyFAQ installation by navigating to the admin panel or inspecting the version file (typically in the root directory). Look for the displayed version number and compare it against 4.1.3. If your version is lower than 4.1.3, you are vulnerable. Document the exact version number before contacting the vendor or checking release notes.

Can the API endpoint be safely disabled if we don't use the password reset feature?

Disabling the endpoint would mitigate the vulnerability but may break password reset functionality for legitimate users. A better approach is to apply the patch and implement network-level access controls (IP allowlisting, WAF rules) to restrict who can reach the endpoint while patches are staged. Verify with your phpMyFAQ administrator which features your deployment depends on before restricting access.

Will a password reset by an attacker trigger any notification to the user?

This depends on phpMyFAQ's implementation, but typically password resets are not logged in user-visible alerts. Assume that attackers could reset passwords silently. Monitor for unusual account lockouts and implement alerting on API password change requests. After patching, consider enabling password change notifications to users so they become aware if unauthorized resets occur in the interim.

Is there a temporary network-level mitigation we can apply before patching?

Yes. Restrict external access to /api/index.php/user/password/update using a Web Application Firewall (WAF), network firewall rules, or reverse proxy configuration. Allow only trusted internal networks or administrative IP ranges to reach this endpoint. This will limit exposure while you prepare and test the upgrade. Monitor for blocked requests to detect exploitation attempts.

This analysis is provided for informational purposes based on public vulnerability data. Verify all patch versions, affected products, and remediation steps against official vendor advisories and release notes. SEC.co does not guarantee the completeness or accuracy of derived impact assessments. Organizations should conduct their own risk analysis and testing before deploying patches in production environments. No exploit code or weaponized proof-of-concept is provided or implied in this guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-10169LOW

    CVE-2026-10169: Weak Password Recovery in OUSL-GROUP-BrinaryBrains School Management System

  • CVE-2018-25382HIGH

    CVE-2018-25382: Zechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access

  • CVE-2018-25383HIGH

    CVE-2018-25383: Free MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk

  • CVE-2018-25385HIGH

    CVE-2018-25385: Unauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10

  • CVE-2018-25386HIGH

    CVE-2018-25386: SQL Injection in HaPe PKH 1.1 Admin Interface

  • CVE-2018-25388HIGH

    CVE-2018-25388: HaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)

  • CVE-2018-25389HIGH

    CVE-2018-25389: SQL Injection in HaPe PKH 1.1 Database Extraction

  • CVE-2018-25390HIGH

    CVE-2018-25390: Unauthenticated SQL Injection in HaPe PKH 1.1