CVE-2026-45010: phpMyFAQ Auth Bypass Vulnerability

CVE-2026-45010 Overview

CVE-2026-45010 is an authentication bypass vulnerability in phpMyFAQ versions before 4.1.2. The /admin/check endpoint accepts arbitrary user-id parameters without session binding or rate limiting [CWE-307]. Unauthenticated attackers can brute-force any administrator's six-digit Time-based One-Time Password (TOTP) by submitting sequential POST requests. Successful exploitation defeats two-factor authentication (2FA) and grants full administrative access to the affected phpMyFAQ instance.

Critical Impact

Remote, unauthenticated attackers can defeat 2FA and gain full administrative control of phpMyFAQ instances by brute-forcing six-digit TOTP codes.

Affected Products

• phpMyFAQ versions prior to 4.1.2
• Self-hosted phpMyFAQ deployments exposing the /admin/check endpoint
• Any phpMyFAQ administrator account configured with TOTP-based 2FA

Discovery Timeline

• 2026-05-15 - CVE-2026-45010 published to NVD
• 2026-05-18 - Last updated in NVD database

Technical Details for CVE-2026-45010

Vulnerability Analysis

The vulnerability resides in the /admin/check endpoint of phpMyFAQ. This endpoint validates TOTP codes during the administrator authentication flow. The handler accepts a user-id parameter supplied by the client and uses it to look up the target account's TOTP secret. The endpoint enforces neither a session binding to the preceding password authentication step nor any throttling on repeated submissions.

A TOTP code is a six-digit numeric value, yielding only one million possible combinations. Without rate limiting, an attacker can exhaust the entire keyspace within minutes using standard HTTP request tooling. The endpoint returns a deterministic response indicating whether the submitted code matches, providing the oracle needed for automated brute-force enumeration.

Because the endpoint is reachable pre-authentication and accepts arbitrary user-id values, an attacker does not need valid credentials or a foothold. Successful TOTP guessing returns a state that the application treats as a completed second authentication factor.

Root Cause

The root cause is improper restriction of excessive authentication attempts. The /admin/check handler omits two controls: (1) it does not bind the TOTP verification step to a server-side session created by prior primary-credential authentication, and (2) it does not apply request rate limiting, account lockout, or exponential backoff for repeated failed TOTP submissions.

Attack Vector

The attack is network-based and requires no privileges or user interaction. An attacker sends repeated POST requests to /admin/check containing the target user-id and sequential six-digit token values from 000000 to 999999. Once the correct code is found, the attacker proceeds into the administrative interface as the targeted user. The vulnerability is described in the phpMyFAQ GitHub Security Advisory and the VulnCheck Advisory.

No verified public proof-of-concept code is referenced in the advisory data. See the security advisories above for technical details.

Detection Methods for CVE-2026-45010

Indicators of Compromise

• High-volume POST requests from a single source IP address to /admin/check within a short timeframe.
• Sequential or rapidly varying numeric values in the TOTP token parameter submitted to /admin/check.
• Successful administrator session establishment immediately following a burst of failed /admin/check requests.
• Administrative actions originating from IP addresses not previously associated with administrator accounts.

Detection Strategies

• Inspect web server and application logs for repeated requests to /admin/check exceeding a reasonable threshold per source IP or per user-id.
• Alert on requests to /admin/check that iterate through numeric token values within a short interval.
• Correlate failed TOTP submissions with subsequent successful administrator logins from the same source.

Monitoring Recommendations

• Forward phpMyFAQ web access logs to a centralized log aggregation or SIEM platform.
• Track administrator login events and create baselines for normal source IPs, user agents, and access times.
• Monitor outbound activity from the phpMyFAQ host for signs of post-compromise behavior such as file uploads, configuration changes, or new administrator account creation.

How to Mitigate CVE-2026-45010

Immediate Actions Required

• Upgrade phpMyFAQ to version 4.1.2 or later, which addresses the missing session binding and rate limiting on /admin/check.
• Restrict network access to the /admin/ path to trusted source IP ranges or via a VPN until patching is complete.
• Rotate administrator passwords and reset TOTP enrollment secrets after applying the patch.
• Review administrator audit logs for unauthorized access or configuration changes.

Patch Information

Upgrade to phpMyFAQ 4.1.2 or later. The fix is referenced in the phpMyFAQ GitHub Security Advisory GHSA-9pq7-mfwh-xx2j.

Workarounds

• Place phpMyFAQ behind a reverse proxy or Web Application Firewall (WAF) and apply rate limiting to /admin/check requests per source IP.
• Restrict /admin/ access by source IP using web server configuration directives until the upgrade is deployed.
• Temporarily disable external access to the administrative interface and require VPN connectivity for administrators.

# Example nginx rate-limit and IP allowlist for /admin/check
limit_req_zone $binary_remote_addr zone=admincheck:10m rate=5r/m;

server {
    location = /admin/check {
        allow 10.0.0.0/8;
        deny all;
        limit_req zone=admincheck burst=5 nodelay;
        proxy_pass http://phpmyfaq_backend;
    }
}