CVE-2026-45009 Overview
CVE-2026-45009 is an insufficient authorization vulnerability in phpMyFAQ versions before 4.1.2. The flaw resides in admin-api routes that verify only login status without checking backend administrative privileges. Authenticated frontend users can reach administrative endpoints intended for backend administrators. Exposed data includes dashboard version information, Lightweight Directory Access Protocol (LDAP) configuration, Elasticsearch statistics, and health-check details. The issue is classified under CWE-863: Incorrect Authorization.
Critical Impact
Any authenticated ordinary user can query phpMyFAQ admin-api endpoints and obtain sensitive backend configuration and operational data without administrative privileges.
Affected Products
- phpMyFAQ versions prior to 4.1.2
- Installations exposing admin-api routes to authenticated frontend users
- Deployments configured with LDAP or Elasticsearch backends
Discovery Timeline
- 2026-05-15 - CVE-2026-45009 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-45009
Vulnerability Analysis
phpMyFAQ separates its frontend user accounts from backend administrators. The admin-api routes are intended to serve backend administrative operations. The vulnerable code path checks only that a session is authenticated, not that the session belongs to a user with backend privileges. Any user with a valid frontend account can invoke administrative endpoints.
Exposed endpoints return operational and configuration data. This includes the dashboard version, LDAP configuration values, Elasticsearch index statistics, and health-check responses. The data assists attackers in fingerprinting the deployment and planning further attacks against connected identity and search backends.
The vulnerability does not grant write access or remote code execution on its own. It impacts confidentiality by leaking backend metadata to lower-privileged users.
Root Cause
The root cause is a missing privilege check in the admin-api route handlers. The middleware confirms authentication but skips backend role verification. This is a classic [CWE-863] authorization mismatch where the access control decision relies on the wrong attribute of the session.
Attack Vector
An attacker first registers or compromises a standard phpMyFAQ frontend account. Using the resulting session cookie or token, the attacker issues HTTP requests directly to admin-api endpoints. The server validates the session as logged in and returns administrative data. No social engineering or chained exploit is required.
No verified public proof-of-concept code is available. See the GitHub Security Advisory and VulnCheck Advisory on phpMyFAQ for additional technical details.
Detection Methods for CVE-2026-45009
Indicators of Compromise
- HTTP requests to admin-api paths originating from accounts that lack backend administrator roles.
- Successful 200 OK responses on administrative endpoints returning version, LDAP, Elasticsearch, or health data to non-admin sessions.
- Unusual enumeration patterns sweeping multiple admin-api routes from a single low-privileged session.
Detection Strategies
- Correlate web server access logs with phpMyFAQ user role data to flag admin-api calls by non-admin user IDs.
- Deploy a Web Application Firewall (WAF) rule that compares the requesting user's role attribute against the requested endpoint class.
- Monitor outbound responses from admin-api routes for sensitive markers such as ldap, elasticsearch, or health fields delivered to frontend sessions.
Monitoring Recommendations
- Enable verbose audit logging for all admin-api requests, including authenticated user identifier and assigned role.
- Alert on repeated administrative endpoint access by accounts created within the last 24 hours.
- Track baseline call volumes per endpoint and trigger investigations on statistical deviations.
How to Mitigate CVE-2026-45009
Immediate Actions Required
- Upgrade phpMyFAQ to version 4.1.2 or later on all instances.
- Audit user accounts and disable any unrecognized or unused frontend accounts.
- Review recent access logs for admin-api requests from non-administrator users and investigate matches.
Patch Information
The phpMyFAQ maintainers fixed the issue in version 4.1.2 by adding backend privilege verification to admin-api route handlers. Refer to the GitHub Security Advisory for the official patch and remediation guidance.
Workarounds
- Restrict network access to admin-api paths using a reverse proxy or WAF rule that requires an administrator session cookie or IP allowlist.
- Disable self-registration of frontend users until the patch is applied.
- Rotate LDAP and Elasticsearch credentials if logs show unauthorized admin-api access prior to patching.
# Example NGINX restriction limiting admin-api to an internal admin network
location /admin-api/ {
allow 10.0.0.0/24;
deny all;
proxy_pass http://phpmyfaq_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
