CVE-2026-45007 Overview
CVE-2026-45007 affects phpMyFAQ before version 4.1.2. The vulnerability resides in ConfigurationTabController.php, where 12 administrative API endpoints call userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user, regardless of assigned role, can query /admin/api/configuration endpoints and enumerate system configuration metadata. Disclosed details include the permission model, cache backend, mail provider, and translation provider. The issue is categorized as Missing Authorization [CWE-862] and violates least privilege access control.
Critical Impact
Authenticated low-privilege users can enumerate sensitive phpMyFAQ administrative configuration data through 12 unprotected API endpoints, exposing infrastructure details useful for follow-on attacks.
Affected Products
- phpMyFAQ versions prior to 4.1.2
- ConfigurationTabController.php administrative API component
- /admin/api/configuration endpoints (12 affected routes)
Discovery Timeline
- 2026-05-15 - CVE-2026-45007 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-45007
Vulnerability Analysis
The vulnerability is a Broken Access Control flaw in the phpMyFAQ administrative API layer. The ConfigurationTabController.php class registers 12 endpoints under /admin/api/configuration. Each endpoint gates access with userIsAuthenticated(), which only verifies that a valid session exists. The correct check, userHasPermission(CONFIGURATION_EDIT), is never invoked. Any account with login rights, including limited contributor or read-only users, can therefore reach administrative configuration data.
Returned data includes the active permission model, cache backend, mail transport provider, and translation provider. Attackers use this metadata to fingerprint the deployment and plan targeted follow-up attacks against the disclosed components. The flaw does not allow modification of configuration values, only enumeration. The attack is exploitable over the network and requires only low-level authentication.
Root Cause
The root cause is a developer oversight where the authorization layer was downgraded to authentication. userIsAuthenticated() confirms session validity but does not enforce role-based access. The intended function userHasPermission(CONFIGURATION_EDIT) validates that the caller holds the configuration edit privilege. Substituting the weaker check across 12 endpoints broke the least privilege model defined elsewhere in phpMyFAQ.
Attack Vector
An attacker first obtains any authenticated phpMyFAQ account, including self-registered or low-privilege users where registration is permitted. The attacker then issues HTTP GET requests to the affected /admin/api/configuration routes. The server responds with JSON payloads containing configuration metadata. No additional privilege escalation or token manipulation is required.
The vulnerability is described in prose only because no public proof-of-concept code is referenced in the advisories. See the GitHub Security Advisory and the VulnCheck Advisory for technical specifics on the affected endpoints.
Detection Methods for CVE-2026-45007
Indicators of Compromise
- Unexpected HTTP GET requests to /admin/api/configuration/* paths originating from non-administrator user sessions.
- Repeated enumeration patterns where a single authenticated session iterates across multiple configuration endpoints in quick succession.
- Web server access logs showing 200 OK responses to configuration API calls from accounts that do not hold the CONFIGURATION_EDIT permission.
Detection Strategies
- Correlate authenticated user IDs in application logs against the role required for /admin/api/configuration access, and alert on mismatches.
- Deploy web application firewall (WAF) rules that flag requests to admin configuration endpoints from sessions lacking administrator role claims.
- Review phpMyFAQ audit logs for read access to configuration tabs by non-admin accounts.
Monitoring Recommendations
- Enable verbose request logging on the phpMyFAQ admin API and forward logs to a centralized analytics platform.
- Baseline normal administrator API traffic patterns and alert on deviations such as access from new user IDs or IP ranges.
- Monitor for newly created low-privilege accounts followed by access to /admin/api/configuration endpoints within a short time window.
How to Mitigate CVE-2026-45007
Immediate Actions Required
- Upgrade phpMyFAQ to version 4.1.2 or later, which replaces userIsAuthenticated() with userHasPermission(CONFIGURATION_EDIT) on the affected endpoints.
- Audit existing user accounts and disable or remove accounts that are no longer needed.
- Disable open self-registration on phpMyFAQ instances exposed to the internet until the patch is applied.
Patch Information
The maintainers fixed the issue in phpMyFAQ 4.1.2 by enforcing the CONFIGURATION_EDIT permission on all 12 affected endpoints in ConfigurationTabController.php. Refer to the GitHub Security Advisory GHSA-rm98-82fr-mcfx for upgrade instructions and commit details.
Workarounds
- Restrict access to /admin/api/configuration paths at the reverse proxy or WAF layer to administrator source IP addresses only.
- Temporarily remove or rename the affected controller routes until the upgrade is deployed, accepting reduced admin UI functionality.
- Tighten role assignments so that only trusted administrators hold any authenticated session on the phpMyFAQ instance.
# Configuration example: nginx rule restricting admin configuration API to trusted IPs
location ~ ^/admin/api/configuration {
allow 10.0.0.0/24; # trusted admin subnet
deny all;
proxy_pass http://phpmyfaq_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
