CVE-2026-27836
Received Received - Intake
Unauthenticated Account Creation in phpMyFAQ WebAuthn Endpoint

Publication date: 2026-02-27

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27836
EUVD
EUVD-2026-9059
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.0.18 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in phpMyFAQ versions prior to 4.0.18 in the WebAuthn prepare endpoint (/api/webauthn/prepare). This endpoint allows the creation of new active user accounts without requiring any authentication, CSRF protection, captcha, or configuration checks.

As a result, unauthenticated attackers can create unlimited user accounts even if the registration feature is disabled.

This issue was fixed in version 4.0.18.

Impact Analysis

This vulnerability allows attackers to create unlimited active user accounts without any restrictions or authentication.

Such unauthorized account creation can lead to abuse of the system, potential denial of service by exhausting resources, and possible misuse of privileges associated with user accounts.

The CVSS score indicates a high impact on integrity (I:H), meaning attackers can manipulate or inject unauthorized data or actions through these accounts.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade phpMyFAQ to version 4.0.18 or later, where the issue has been fixed.

Until the upgrade is applied, consider restricting access to the /api/webauthn/prepare endpoint to trusted users or networks to prevent unauthenticated account creation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27836. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart