CVE-2026-46366 Overview
CVE-2026-46366 is an information disclosure vulnerability in phpMyFAQ versions before 4.1.2. The flaw resides in the getIdFromSolutionId() method, which omits permission filtering when resolving solution identifiers to FAQ entries. Unauthenticated attackers can enumerate restricted FAQ entries by iterating sequential solution IDs against the /solution_id_{id}.html endpoint. The application leaks titles and metadata of protected FAQs through redirect Location headers and canonical links on rendered pages. The weakness is classified under CWE-863: Incorrect Authorization.
Critical Impact
Unauthenticated remote attackers can enumerate all FAQ entries, including those restricted to specific users or groups, exposing titles and metadata that should remain confidential.
Affected Products
- phpMyFAQ versions prior to 4.1.2
- Installations exposing the /solution_id_{id}.html endpoint to untrusted networks
- Deployments relying on group or user-level FAQ access restrictions
Discovery Timeline
- 2026-05-15 - CVE-2026-46366 published to the National Vulnerability Database
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-46366
Vulnerability Analysis
The vulnerability stems from missing authorization checks in the getIdFromSolutionId() method of phpMyFAQ. When a request hits the /solution_id_{id}.html endpoint, the application resolves the supplied solution ID to a FAQ entry without verifying whether the requester has permission to view that entry. The server then issues a redirect to the canonical FAQ URL or renders a page containing the FAQ title. Both responses leak metadata of restricted entries through HTTP Location headers and canonical link tags. Because authentication is not required, anyone able to reach the application can enumerate the full set of solution IDs sequentially and harvest titles for every FAQ, including private ones.
Root Cause
The root cause is an authorization flaw [CWE-863] in the solution ID resolution path. The getIdFromSolutionId() method queries the FAQ database by solution identifier without applying the permission filters used elsewhere in the codebase for user and group access control. As a result, the read path bypasses the access model intended to protect restricted FAQ entries.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker scripts sequential requests against the /solution_id_{id}.html endpoint, incrementing the numeric solution ID. The server responds with redirects or rendered pages that reveal FAQ titles and canonical URLs for every entry resolved, including those locked to specific users or groups.
No verified public exploit code is available. For technical details, refer to the GitHub Security Advisory GHSA-99qv-g4x9-mgc3 and the VulnCheck advisory.
Detection Methods for CVE-2026-46366
Indicators of Compromise
- High-volume sequential requests to /solution_id_{id}.html from a single client or small set of IP addresses
- Repeated HTTP 302 redirects from the solution ID endpoint to canonical FAQ URLs in access logs
- Requests to solution IDs that correspond to FAQs flagged as restricted in the phpMyFAQ administration backend
Detection Strategies
- Parse web server access logs for sequential numeric increments in solution_id_ URI patterns originating from unauthenticated sessions
- Alert on unauthenticated clients generating more than a threshold number of /solution_id_* requests per minute
- Correlate redirect responses to restricted FAQ canonical URLs against the source IP reputation and session state
Monitoring Recommendations
- Forward phpMyFAQ application and web server logs to a centralized log platform for retention and search
- Build dashboards that track request rates against the /solution_id_* endpoint segmented by authentication state
- Monitor outbound bandwidth and response counts from FAQ endpoints for anomalies consistent with bulk enumeration
How to Mitigate CVE-2026-46366
Immediate Actions Required
- Upgrade phpMyFAQ to version 4.1.2 or later, which adds the missing permission filtering in getIdFromSolutionId()
- Restrict access to the phpMyFAQ application using network controls or a reverse proxy where the FAQ content is not intended for public consumption
- Review the FAQ catalog for entries that were restricted and assume their titles may have been disclosed
Patch Information
The maintainers fixed the issue in phpMyFAQ 4.1.2 by adding permission filtering to the getIdFromSolutionId() method. Refer to the GitHub Security Advisory GHSA-99qv-g4x9-mgc3 for upgrade instructions and the corresponding commit.
Workarounds
- Place the /solution_id_* endpoint behind authentication using a web server or reverse proxy rule until the upgrade is applied
- Rate-limit requests to the solution ID endpoint to slow large-scale enumeration attempts
- Temporarily remove or unpublish restricted FAQ entries from the database if exposure of their titles is unacceptable
# Example nginx rule to require authentication on the solution_id endpoint
location ~ ^/solution_id_[0-9]+\.html$ {
auth_basic "phpMyFAQ restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://phpmyfaq_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
