CVE-2026-35672 thorsten CVE debrief

Who should care

Organizations running phpMyFAQ instances with API v4.0 enabled, particularly those exposing administrative API endpoints to untrusted networks. Security teams responsible for content management system integrity and API security posture should prioritize assessment and patching.

Technical summary

The vulnerability stems from insecure default initialization where `api.apiClientToken` defaults to an empty string. The API v4.0 token validation logic accepts this empty value as valid when an empty `x-pmf-token` header is supplied, effectively disabling authentication for affected endpoints. Attackers can leverage this to create or modify FAQ content without credentials. The attack requires no user interaction and can be conducted remotely over the network.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade phpMyFAQ to version 4.1.3 or later to remediate the authentication bypass vulnerability
• Verify that the `api.apiClientToken` configuration parameter is set to a non-empty, cryptographically secure value
• Review API access logs for requests to `/api/v4.0/faq/create`, `/api/v4.0/category`, and `/api/v4.0/question` containing empty `x-pmf-token` headers
• Implement network-level access controls to restrict API endpoint exposure to authorized administrative hosts where feasible
• Audit existing FAQ entries, categories, and questions for unauthorized modifications if exploitation is suspected

Evidence notes

Vulnerability description sourced from NVD modified feed with cross-reference to GitHub Security Advisory GHSA-gp95-j463-vv28 and Vulncheck advisory. CVSS 4.0 vector confirms network-accessible attack with high integrity impact. CWE-1188 (Insecure Default Initialization of Resource) identified as secondary weakness classification.

Official resources