CVE-2026-35671
Received Received - Intake
Insecure Direct Object Reference in phpMyFAQ Admin API Allows Privilege Escalation

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: VulnCheck

Description
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-35671
EUVD
EUVD-2026-32902
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-35671 is an insecure direct object reference (IDOR) vulnerability in phpMyFAQ versions before 4.1.3, specifically in the admin API user password endpoint.

This flaw allows an authenticated administrator with low privileges to change any user's password without proper authorization verification by manipulating the userId parameter in the overwrite-password API request.

As a result, an attacker can escalate their privileges to SuperAdmin by modifying the userId parameter to target the SuperAdmin account.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including full system compromise.

  • An attacker with low-privilege admin credentials can escalate to SuperAdmin privileges.
  • The attacker can change any user's password, including SuperAdmin accounts, without authorization.
  • This leads to high impacts on confidentiality, integrity, and availability of the system.
  • Organizations with multiple admin users, privilege separation, or multi-tenant environments are particularly at risk.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring API requests to the admin password overwrite endpoint for suspicious manipulation of the userId parameter.

Specifically, look for authenticated admin API requests where the userId parameter is changed to target users other than the requester's own account, especially userId=1 (SuperAdmin).

Commands to detect such activity could include inspecting web server logs or API gateway logs for POST requests to the overwrite-password endpoint with unusual userId values.

  • Use grep or similar tools to search logs for the API endpoint, e.g., `grep 'overwrite-password' /var/log/nginx/access.log`
  • Filter for requests containing userId parameters different from the authenticated admin's own ID.
  • Monitor for CSRF tokens usage patterns or unexpected password change requests from low-privilege admin accounts.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading phpMyFAQ to version 4.1.3 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict access to the admin API endpoints to trusted administrators only and monitor API usage closely.

Implement additional authorization checks or multi-factor authentication for password changes, especially for high-privilege accounts.

Review and limit the number of administrators with USER_EDIT permissions to reduce the attack surface.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart