CVE-2026-49205
Received Received - Intake
Missing Authorization in phpMyFAQ API Endpoints

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this->userHasPermission(PermissionType::BACKUP). The same fix was not applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() β€” which checks a shared API key header, rather than the individual user's role permissions. The following APIs are affected: POST /api/v4.0/category (CategoryController::create), POST /api/v4.0/faq (FaqController::create), PUT /api/v4.0/faq (FaqController::update), and POST /api/v4.0/question (QuestionController::create). This issue has been fixed in version 4.1.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpmyfaq phpmyfaq to 4.1.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects phpMyFAQ versions prior to 4.1.4 and involves missing authorization checks in the API's CategoryController and other write endpoints. While a previous fix (CVE-2026-24421) added proper permission checks for the BackupController, the same fix was not applied to four other API endpoints. These endpoints only verify a shared API key token rather than checking individual user role permissions, allowing unauthorized users with a valid token to perform actions like creating or updating categories, FAQs, and questions.

Impact Analysis

The vulnerability allows unauthorized users who possess a valid shared API key to perform write operations on the phpMyFAQ application without proper permission checks. This can lead to unauthorized creation or modification of categories, FAQs, and questions, potentially compromising the integrity of the FAQ content. The CVSS score indicates a moderate severity with high confidentiality impact but no impact on integrity or availability.

Mitigation Strategies

The vulnerability is fixed in phpMyFAQ version 4.1.4. Immediate mitigation involves upgrading your phpMyFAQ installation to version 4.1.4 or later.

This update applies proper authorization checks to the affected API endpoints, preventing unauthorized access.

Compliance Impact

The vulnerability in phpMyFAQ versions prior to 4.1.4 involves missing authorization checks in several API endpoints, allowing actions to be performed based on a shared API key rather than individual user permissions.

This lack of proper authorization could potentially lead to unauthorized access or modification of data, which may impact compliance with standards and regulations such as GDPR or HIPAA that require strict access controls and protection of sensitive information.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart