CVE-2026-46364 Overview
CVE-2026-46364 is an unauthenticated SQL injection vulnerability in phpMyFAQ versions prior to 4.1.2. The flaw resides in the BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods, which interpolate unsanitized HTTP User-Agent header values directly into DELETE and INSERT SQL statements. Attackers can reach the vulnerable code path through the public GET /api/captcha endpoint without authentication. Successful exploitation enables time-based blind SQL injection, allowing extraction of user credentials, administrator tokens, and SMTP credentials stored in the database. The issue is tracked under CWE-89.
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents, including admin tokens and credentials, by sending crafted User-Agent headers to a public captcha endpoint.
Affected Products
- phpMyFAQ versions prior to 4.1.2
- BuiltinCaptcha::garbageCollector() method
- BuiltinCaptcha::saveCaptcha() method
Discovery Timeline
- 2026-05-15 - CVE-2026-46364 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-46364
Vulnerability Analysis
The vulnerability stems from improper neutralization of special elements in SQL commands. phpMyFAQ's built-in CAPTCHA component records and prunes captcha entries using the client's User-Agent string as part of DELETE and INSERT queries. The header value is concatenated into the SQL statement without parameterization or escaping.
The GET /api/captcha endpoint is publicly accessible and invokes both the garbage collector and the save routine on each request. Any HTTP client can therefore trigger the injection path, making the bug reachable without prior authentication, session state, or user interaction.
Because the affected queries do not return data to the response body, attackers rely on time-based blind techniques such as SLEEP() or pg_sleep() payloads. Boolean-based or out-of-band variants are also viable depending on the underlying database driver. Extracted artifacts include hashed user passwords, admin API tokens, and configured SMTP credentials, which can be reused to pivot into mail infrastructure or administrative panels.
Root Cause
The root cause is direct string interpolation of attacker-controlled HTTP header data into SQL statements within BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(). Neither prepared statements nor input sanitization were applied to the User-Agent value before it reached the database layer.
Attack Vector
The attack vector is network-based and requires no privileges. An attacker sends an HTTP GET request to /api/captcha with a malicious User-Agent header containing SQL syntax. The phpMyFAQ backend processes the header inside captcha lifecycle queries, executing the injected SQL against the configured database. Exploitation can be performed with any HTTP client capable of setting custom headers. Detailed analysis is available in the VulnCheck SQL Injection Advisory and the upstream GitHub Security Advisory.
No verified public proof-of-concept code was included in the enriched dataset, so synthetic exploit code is omitted. Refer to the linked advisories for technical specifics.
Detection Methods for CVE-2026-46364
Indicators of Compromise
- HTTP requests to /api/captcha containing SQL keywords such as SLEEP, BENCHMARK, pg_sleep, UNION, or SELECT inside the User-Agent header.
- Anomalously long response times on /api/captcha requests, indicative of time-based blind injection.
- Repeated /api/captcha requests from a single source with progressively varying User-Agent strings, consistent with character-by-character data extraction.
- Database query logs showing INSERT or DELETE operations against the captcha table with non-printable or oversized User-Agent values.
Detection Strategies
- Inspect web server access logs for User-Agent headers that exceed expected length or contain SQL syntax tokens.
- Enable database query logging for the captcha tables and alert on statements where the user-agent column contains SQL metacharacters such as quotes, semicolons, or parentheses.
- Deploy a Web Application Firewall (WAF) signature that flags SQL injection patterns within the User-Agent header on requests to /api/captcha.
Monitoring Recommendations
- Baseline normal /api/captcha response latency and alert on outliers consistent with SLEEP-based payloads.
- Correlate spikes in /api/captcha traffic with subsequent administrative logins or SMTP authentication events to detect credential reuse.
- Forward web server and database logs to a centralized analytics platform for retroactive hunting against the User-Agent injection pattern.
How to Mitigate CVE-2026-46364
Immediate Actions Required
- Upgrade phpMyFAQ to version 4.1.2 or later as published in the GitHub Security Advisory GHSA-289f-fq7w-6q2w.
- Rotate all credentials stored in the phpMyFAQ database, including administrator passwords, API tokens, and SMTP credentials, assuming exposure until logs confirm otherwise.
- Review web server and database logs for evidence of prior exploitation against /api/captcha.
Patch Information
The maintainers addressed the issue in phpMyFAQ 4.1.2. Refer to the upstream GitHub commit and the GitHub Security Advisory for the full set of changes. The fix replaces unsafe string interpolation in BuiltinCaptcha with parameterized queries.
Workarounds
- Restrict access to /api/captcha at the reverse proxy or WAF layer until patching is complete.
- Apply a WAF rule that rejects requests where the User-Agent header contains SQL metacharacters or exceeds a strict length limit.
- Temporarily disable the built-in CAPTCHA module if business processes permit, removing the vulnerable code path from request handling.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
