phpMyFAQ – Insufficient Authorization Check in Admin API Endpoints

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.

Basic Information

ID CVE-2026-45009

Source VulnCheck

Published May 15, 2026 at 18:36

Affected Product

Vendor thorsten

Product phpmyfaq

Version 4.1.1

Affected Versions thorsten phpmyfaq 4.1.1

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.",
    "published": "2026-05-15T18:36:36.621Z",
    "modified": "2026-05-15T18:36:36.621Z",
    "type": "cve",
    "title": "phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints",
    "source": "VulnCheck",
    "references": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5\nhttps://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-in-admin-api-endpoints",
    "id": "CVE-2026-45009",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "thorsten phpmyfaq 4.1.1",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "phpmyfaq",
    "version": "4.1.1",
    "vendor": "thorsten",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

phpMyFAQ – Insufficient Authorization Check in Admin API Endpoints_CVE-2026-45009