CVE-2026-46359 Overview
CVE-2026-46359 is a SQL injection vulnerability [CWE-89] in phpMyFAQ versions before 4.1.2. The flaw resides in the CurrentUser::setTokenData method, which fails to escape OAuth token fields before incorporating them into SQL statements. Authenticated attackers with Azure Active Directory accounts can inject SQL metacharacters through display names or JSON Web Token (JWT) claims. The malicious claims break out of string literals and execute arbitrary database queries against the phpMyFAQ backend.
Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the phpMyFAQ database by injecting metacharacters into OAuth token claims, leading to data theft, modification, or full database compromise.
Affected Products
- phpMyFAQ versions prior to 4.1.2
- Installations integrated with Azure AD OAuth authentication
- Deployments using CurrentUser::setTokenData for token-based login flows
Discovery Timeline
- 2026-05-15 - CVE-2026-46359 published to the National Vulnerability Database (NVD)
- 2026-05-18 - Last updated in NVD database
- 2026-05-21 - Exploit Prediction Scoring System (EPSS) data recorded
Technical Details for CVE-2026-46359
Vulnerability Analysis
The vulnerability exists in phpMyFAQ's handling of OAuth token data inside the CurrentUser::setTokenData method. When a user authenticates through Azure AD, the application reads identity claims from the returned JWT and stores them in the local user database. The function constructs SQL statements by concatenating these claim values directly into query strings. No parameterized queries or escaping routines are applied to fields such as the OAuth display name.
An attacker controlling an Azure AD identity can craft display names or other JWT claims containing single quotes and SQL syntax. When phpMyFAQ persists this data, the malicious payload terminates the intended string literal and appends arbitrary SQL. The attacker then influences SELECT, INSERT, or UPDATE operations against the backend database.
Root Cause
The root cause is missing input sanitization on attacker-controlled OAuth claim values [CWE-89]. The setTokenData implementation treats federated identity attributes as trusted because they originate from a signed token. However, the contents of fields like name or preferred_username remain attacker-controlled and require the same escaping as any other untrusted input.
Attack Vector
Exploitation requires the attacker to authenticate through a federated Azure AD tenant connected to the target phpMyFAQ instance and to control a directory account whose attributes contain SQL metacharacters. User interaction is required during the OAuth login flow. The vulnerability manifests when phpMyFAQ writes the token data to its database. See the GitHub Security Advisory and the VulnCheck Advisory on SQL Injection for technical details.
Detection Methods for CVE-2026-46359
Indicators of Compromise
- OAuth login events where the asserted display name contains characters such as ', ;, --, or SQL keywords like UNION and SELECT.
- Unexpected modifications to the phpMyFAQ faquser or faquserdata tables following a federated login.
- Database error log entries referencing syntax errors triggered during setTokenData calls.
Detection Strategies
- Inspect phpMyFAQ application logs for failed or anomalous Azure AD authentication callbacks containing encoded SQL metacharacters.
- Enable database query logging and alert on dynamically constructed statements originating from the user provisioning code path.
- Correlate Azure AD audit logs against phpMyFAQ login events to identify accounts with suspicious directory attributes.
Monitoring Recommendations
- Monitor for new or modified Azure AD users whose displayName or preferred_username fields contain non-printable or SQL-reserved characters.
- Track outbound queries from the phpMyFAQ database role to identify unusual INFORMATION_SCHEMA reads or privilege changes.
- Forward web server access logs and database audit logs to a centralized analytics platform for correlation across the OAuth flow.
How to Mitigate CVE-2026-46359
Immediate Actions Required
- Upgrade phpMyFAQ to version 4.1.2 or later, which patches CurrentUser::setTokenData against this injection.
- Review Azure AD users with directory write access and remove accounts containing suspicious metacharacters in display names.
- Audit the phpMyFAQ database for unauthorized rows or modified privileges added since OAuth integration was enabled.
Patch Information
The vendor fixed the issue in phpMyFAQ 4.1.2. Administrators should apply the upstream release published in the GitHub Security Advisory GHSA-pm8c-3qq3-72w7. After upgrading, restart the web server and clear cached sessions to invalidate any tokens generated before the patch.
Workarounds
- Temporarily disable Azure AD or OAuth-based authentication until the upgrade to 4.1.2 is complete.
- Restrict phpMyFAQ federation to a trusted Azure AD tenant where directory attribute changes are tightly controlled.
- Apply a Web Application Firewall (WAF) rule to block OAuth callback requests containing SQL metacharacters in claim parameters.
# Configuration example: upgrade phpMyFAQ via Composer
composer require thorsten/phpmyfaq:^4.1.2
php scripts/upgrade.php
systemctl restart php-fpm nginx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
