CVE-2026-46365 Overview
CVE-2026-46365 is a missing authorization vulnerability [CWE-862] in phpMyFAQ versions before 4.1.2. The flaw resides in the DELETE /admin/api/content/tags/{tagId} endpoint, which fails to enforce role-based access control. Any authenticated user, including regular frontend accounts without administrative privileges, can delete arbitrary tags by sending a DELETE request with a valid session cookie. Successful exploitation results in permanent data loss and disruption of FAQ taxonomy and organization.
Critical Impact
Authenticated low-privilege users can permanently delete tags from a phpMyFAQ instance, corrupting content organization and causing irreversible data loss across the knowledge base.
Affected Products
- phpMyFAQ versions prior to 4.1.2
- Self-hosted phpMyFAQ deployments exposing the admin REST API
- phpMyFAQ instances with open user registration enabled
Discovery Timeline
- 2026-05-15 - CVE-2026-46365 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-46365
Vulnerability Analysis
The vulnerability stems from improper enforcement of authorization checks on a privileged administrative endpoint. phpMyFAQ exposes a REST API under /admin/api/content/tags/{tagId} that supports tag management operations. The DELETE handler validates only that the requester holds a valid session, not that the session belongs to a user with the delete permission on the tags resource.
This is a classic broken access control failure mapped to [CWE-862]: Missing Authorization. The server treats authentication as sufficient evidence of authorization, allowing horizontal and vertical privilege escalation against the tag dataset.
The impact is integrity and availability loss. Tags are referenced across FAQ entries, search indexes, and category navigation. Their deletion cascades into broken filters, missing classifications, and orphaned content references that administrators must rebuild manually.
Root Cause
The root cause is the absence of a permission check in the tag deletion controller. The route accepts any authenticated session and proceeds directly to database deletion without validating the user's role or capability set against the requested action.
Attack Vector
The attack vector is network-based and requires only low privileges. An attacker registers or logs in as a standard user, captures the resulting session cookie, and issues a DELETE request against /admin/api/content/tags/{tagId} for any known or enumerated tag identifier. No user interaction is required, and the operation succeeds silently from the attacker's perspective.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-7cx3-2qx2-3g6w and the VulnCheck Security Advisory. No verified public exploit code is currently available.
Detection Methods for CVE-2026-46365
Indicators of Compromise
- Unexpected DELETE requests to /admin/api/content/tags/{tagId} in web server access logs from non-administrator user sessions.
- Missing or reduced tag counts in the phpMyFAQ administration dashboard without corresponding administrator audit entries.
- FAQ entries displaying broken or empty tag references after no scheduled content changes.
Detection Strategies
- Correlate the source session identifier of any DELETE /admin/api/content/tags/* request against the user's role in the phpMyFAQ database; flag any deletion performed by a non-admin account.
- Monitor HTTP method distribution to the /admin/api/ path and alert on DELETE verbs originating from user agents or IP addresses that have not previously authenticated as administrators.
- Compare current tag inventory against periodic database snapshots to detect bulk deletion events.
Monitoring Recommendations
- Enable verbose access logging on the web server fronting phpMyFAQ and forward logs to a centralized SIEM for retention and correlation.
- Establish a baseline of normal administrative API activity and alert on deviations in request volume or method usage.
- Track newly registered low-privilege accounts that immediately interact with /admin/api/ endpoints.
How to Mitigate CVE-2026-46365
Immediate Actions Required
- Upgrade phpMyFAQ to version 4.1.2 or later, which adds the missing authorization check on the tag deletion endpoint.
- Audit the user table and disable or remove untrusted accounts created during the exposure window.
- Restore deleted tags from the most recent verified database backup if data loss is suspected.
Patch Information
The phpMyFAQ maintainers fixed the issue in release 4.1.2. Details are published in GitHub Security Advisory GHSA-7cx3-2qx2-3g6w. Administrators should apply the upgrade through the standard phpMyFAQ update procedure and verify the installed version after deployment.
Workarounds
- Disable public user registration until the upgrade is applied to reduce the pool of accounts that can reach the vulnerable endpoint.
- Restrict access to /admin/api/ paths at the reverse proxy or web server layer using IP allowlists for administrator networks.
- Place a web application firewall rule that blocks DELETE requests to /admin/api/content/tags/* unless the session belongs to a known administrator.
# Example nginx rule restricting admin API DELETE methods to an allowlisted network
location ~ ^/admin/api/ {
limit_except GET POST {
allow 10.0.0.0/24;
deny all;
}
proxy_pass http://phpmyfaq_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
