CVE-2026-35672
Deferred Deferred - Pending Action
Authentication Bypass in phpMyFAQ API v4.0

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: VulnCheck

Description
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-35672
EUVD
EUVD-2026-32903
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to create and modify FAQ entries, which could lead to content injection, phishing, SEO spam, or reputation damage.

Such unauthorized modifications and potential injection of malicious content could compromise data integrity and trustworthiness of the system, potentially violating compliance requirements related to data security and integrity under standards like GDPR and HIPAA.

However, the provided information does not explicitly detail the direct impact on compliance with these regulations.

Executive Summary

CVE-2026-35672 is an authentication bypass vulnerability in phpMyFAQ versions before 4.1.3. The issue occurs because the default configuration sets an empty API client token, which allows unauthenticated users to bypass token validation by sending an empty x-pmf-token header.

This flaw exists due to a faulty comparison in the hasValidToken() method, which incorrectly treats an empty token as valid when no token is configured. As a result, attackers can create, modify, or delete FAQ entries, categories, and questions through the REST API without any credentials.

Impact Analysis

Exploitation of this vulnerability allows attackers to inject malicious content into the FAQ system by creating or modifying entries, categories, and questions without authentication.

  • Content injection
  • Phishing attacks
  • SEO spam
  • Damage to the reputation of the affected site or organization
Detection Guidance

This vulnerability can be detected by checking if your phpMyFAQ installation is running a version before 4.1.3 and if the API client token is set to an empty value. Specifically, you can test if sending an empty x-pmf-token header to the REST API endpoints allows unauthorized access.

A practical detection method is to send HTTP POST requests to the vulnerable API endpoints such as /api/v4.0/faq/create, /api/v4.0/category, or /api/v4.0/question with an empty x-pmf-token header and observe if the request is accepted without authentication.

  • Use curl to test the authentication bypass, for example:
  • curl -X POST https://your-phpmyfaq-domain/api/v4.0/faq/create -H "x-pmf-token:" -d '{"question":"test","answer":"test"}' -v
  • If the server accepts this request and creates or modifies content without requiring a valid token, the vulnerability is present.
Mitigation Strategies

The immediate mitigation step is to upgrade phpMyFAQ to version 4.1.3 or later, where this authentication bypass vulnerability has been patched.

If upgrading immediately is not possible, manually set a non-empty api.apiClientToken value in the configuration to prevent the empty token from being accepted.

Additionally, restrict access to the API endpoints by network controls or firewall rules to limit exposure until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart