CVE-2026-35671 thorsten CVE debrief

Who should care

Organizations running phpMyFAQ versions prior to 4.1.3 with admin API enabled; security teams monitoring for privilege escalation in web applications; administrators responsible for FAQ/knowledge base systems

Technical summary

The vulnerability exists in the admin API's overwrite-password endpoint where the userId parameter is not properly validated against the requesting administrator's authorization scope. An authenticated administrator can supply arbitrary userId values to change passwords for any account including SuperAdmin without additional authorization verification. This represents CWE-266: Incorrect Privilege Assignment through insecure direct object reference. The attack requires network access to the admin API, valid low-privilege admin credentials, and no user interaction.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to phpMyFAQ 4.1.3 or later to remediate the IDOR vulnerability
• Review admin API access logs for suspicious overwrite-password requests with modified userId parameters
• Implement additional authorization checks on sensitive admin API endpoints beyond authentication
• Audit user accounts for unauthorized password changes, particularly SuperAdmin accounts
• Restrict admin API access to trusted source IP ranges where feasible

Evidence notes

Official vendor advisory confirms IDOR in admin API password endpoint allowing unauthorized password changes. VulnCheck advisory provides additional technical context. CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and high impact to confidentiality, integrity, and availability.

Official resources