CVE-2026-24421
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-24

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24421
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.0.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability allows low-privileged authenticated users to create configuration backups and obtain links to ZIP files containing sensitive data. If these backup files are accessible via the web due to server misconfiguration, confidential information could be exposed. This can lead to unauthorized disclosure of sensitive configuration data, posing a high confidentiality risk without affecting integrity or availability. [1]

Detection Guidance

This vulnerability can be detected by attempting to access the `/api/setup/backup` endpoint as a non-admin authenticated user. For example, you can use curl commands to authenticate as a low-privileged user and then request the backup endpoint to see if it returns a link to a backup ZIP file. This confirms the presence of the vulnerability. [1]

Executive Summary

This vulnerability in phpMyFAQ versions 4.0.14 and below allows any authenticated user, including non-admins, to access the /api/setup/backup endpoint due to flawed authorization logic. The system only checks if a user is authenticated but does not verify if they have administrative or configuration permissions. As a result, non-admin users can trigger a configuration backup and retrieve a link to the backup ZIP file, potentially exposing sensitive data. This issue was fixed in version 4.0.17. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading phpMyFAQ to version 4.0.17 or later, where the authorization checks for the `/api/setup/backup` endpoint have been properly implemented. Additionally, ensure that the API is disabled if not needed, and verify that backup ZIP files are not publicly accessible via the web server to prevent exposure of sensitive data. [1]

Compliance Impact

The vulnerability allows low-privileged authenticated users to trigger configuration backups and obtain links to ZIP files that may contain sensitive data. If these backups are exposed due to server misconfiguration, confidential information could be accessed improperly. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls over access to sensitive information and proper authorization mechanisms. Therefore, this vulnerability poses a risk to compliance with such standards by potentially enabling unauthorized data disclosure. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24421. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart