CVE-2026-35676 thorsten CVE debrief

Who should care

Organizations running phpMyFAQ instances prior to version 4.1.3, particularly those with externally accessible API endpoints. Security teams responsible for web application security and identity management infrastructure. System administrators managing phpMyFAQ deployments in production environments. Incident response teams monitoring for authentication-related attacks and account takeover attempts.

Technical summary

The vulnerability exists in the /api/index.php/user/password/update endpoint which fails to validate authentication tokens before processing password changes. Attackers can exploit this by sending crafted PUT requests containing enumerated username and email pairs. The endpoint accepts password update requests without verifying the requester's identity through session tokens, JWT, or other authentication mechanisms. This allows arbitrary password modification for any valid user account, effectively enabling account takeover without prior authentication. The vulnerability is particularly severe as it requires no privileges and no user interaction, making it trivially exploitable via automated tools.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to phpMyFAQ 4.1.3 or later to remediate the unauthenticated password reset vulnerability
• Implement network-level access controls to restrict API endpoint exposure if immediate patching is not feasible
• Monitor authentication logs for anomalous password change activities, particularly PUT requests to user password endpoints
• Review and strengthen password reset workflows to ensure proper token validation mechanisms are enforced
• Consider implementing rate limiting on authentication-related API endpoints to reduce enumeration risk

Evidence notes

Vulnerability identified in phpMyFAQ before 4.1.3. Advisory published by Vulncheck and disclosed to GitHub Security Advisories. NVD status marked as 'Deferred' as of 2026-05-28.

Official resources