PT-2026-41364 · Phpmyfaq · Phpmyfaq
Offset
·
Published
2026-05-06
·
Updated
2026-05-15
·
CVE-2026-46362
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
phpMyFAQ versions prior to 4.1.2
Description
An authorization bypass exists in the
userHasPermission() function of the AbstractAdministrationController class. The function catches a ForbiddenException when a user lacks required permissions and sends a forbidden HTML response via $response->send(), but it fails to terminate the script execution. Consequently, the calling controller method continues to run, fetching protected data and rendering the full template. The final response appends the protected content to the forbidden page, allowing any authenticated admin user to access restricted pages regardless of their actual permissions.This issue affects 58 admin controllers, potentially exposing sensitive information such as admin logs (including IP addresses and usernames), user management data, system information (PHP and server configurations), application settings, and backup functionality.
Recommendations
Update to version 4.1.2 or later.
As a temporary workaround, restrict access to the
AbstractAdministrationController and its extending controllers to only highly trusted administrators until the update is applied.Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phpmyfaq