CVE-2026-35675
Authentication Bypass in phpMyFAQ Password Reset
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpmyfaq | phpmyfaq | to 4.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in phpMyFAQ versions before 4.1.3 and involves an authentication bypass in the password reset endpoint.
Unauthenticated attackers can reset any user's password without needing token verification or email confirmation.
Attackers can also enumerate valid usernames and obtain plaintext passwords via email, leading to complete account takeover, including administrative accounts.
How can this vulnerability impact me? :
The vulnerability allows attackers to reset passwords of any user without authentication, which can lead to unauthorized access.
Attackers can gain full control over user accounts, including administrative accounts, resulting in potential data breaches, loss of control over the system, and unauthorized actions.
Additionally, attackers can obtain plaintext passwords via email, increasing the risk of credential compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to reset any user account password without token verification or email confirmation, leading to complete account takeover including administrative access.
Such unauthorized access compromises the confidentiality, integrity, and availability of user data and FAQ content.
Because of this, organizations using vulnerable versions of phpMyFAQ may fail to protect personal and sensitive data adequately, potentially violating data protection regulations such as GDPR and HIPAA that require strict access controls and protection against unauthorized data access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing the password reset endpoint at /api/user/password/update for unauthorized password reset attempts without token verification or email confirmation.
You can attempt to send PUT requests to the endpoint with different usernames and associated email addresses to check if the system allows password resets without proper authentication.
Network detection can include monitoring for unusual or excessive PUT requests to /api/user/password/update, which may indicate username enumeration or exploitation attempts.
- Use curl to test the endpoint: curl -X PUT https://your-phpmyfaq-domain/api/user/password/update -d '{"username":"testuser","email":"[email protected]"}' -H 'Content-Type: application/json'
- Monitor web server logs for repeated PUT requests to /api/user/password/update with different usernames or emails.
- Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on unusual activity targeting the password reset endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /api/user/password/update endpoint and applying rate limiting to prevent brute force or enumeration attacks.
Disable or restrict the password reset functionality until a patched version of phpMyFAQ (version 4.1.3 or later) is installed.
Implement additional verification mechanisms such as time-limited tokens and email confirmation before allowing password resets.
Monitor logs for suspicious activity targeting the password reset endpoint and alert on potential exploitation attempts.
Upgrade phpMyFAQ to version 4.1.3 or later where this vulnerability is fixed.