CVE-2026-35671

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.3

Description An Insecure Direct Object Reference (IDOR) exists in the Admin API, which allows authenticated administrators to change the password of any user account, including SuperAdmin accounts, without proper authorization verification. An attacker with low-privilege admin credentials can escalate privileges to full SuperAdmin control by modifying the userId parameter in the request body. The issue occurs within the overwritePassword() function located in the /admin/api/user/overwrite-password endpoint, as the system fails to verify if the requesting administrator has the permission to modify the target user or if the target user has equal or lower privilege levels.

Recommendations Update to version 4.1.3 or later. As a temporary workaround, restrict access to the /admin/api/user/overwrite-password endpoint to only the highest privilege levels.