CVE-2026-35672

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.3

Description An authentication bypass exists in API v4.0 due to the installation process seeding the api.apiClientToken variable with an empty string by default. The hasValidToken() function uses strict inequality to compare the configured token with the x-pmf-token header; when both are empty, the check evaluates to false, allowing unauthenticated access. This allows attackers to inject malicious content, such as phishing links or SEO spam, by creating or modifying FAQ entries, categories, and questions.

Technical details include the following affected POST and PUT endpoints:

The vulnerable variable used for token validation is x-pmf-token.

Recommendations Update to version 4.1.3 or later. As a temporary workaround, explicitly configure a non-empty value for the api.apiClientToken in the system settings to ensure the authentication check cannot be bypassed with an empty header.