PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45007 thorsten CVE debrief

CVE-2026-45007 is an access-control flaw in phpMyFAQ before 4.1.2. In ConfigurationTabController.php, 12 /admin/api/configuration endpoints used userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), so any authenticated user could query configuration metadata such as the permission model, cache backend, mail provider, and translation provider. The issue is confidentiality-only, but it weakens least-privilege controls and can expose useful internal details.

Vendor
thorsten
Product
phpmyfaq
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

phpMyFAQ operators, administrators, and developers who maintain admin API authorization checks should care most. Security teams should also review any environment where authenticated non-admin users can reach phpMyFAQ administrative endpoints.

Technical summary

The supplied source material describes a missing permission check in phpMyFAQ's ConfigurationTabController.php. Rather than requiring CONFIGURATION_EDIT, 12 endpoints accepted any authenticated session via userIsAuthenticated(), enabling authenticated users to enumerate configuration metadata over /admin/api/configuration. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, which matches a network-reachable, low-complexity disclosure issue with no integrity or availability impact.

Defensive priority

Medium priority. The flaw does not grant direct code execution or write access, but it exposes internal configuration details to any authenticated user and can undermine least-privilege assumptions. Upgrade promptly if you run affected phpMyFAQ versions and verify that admin endpoints enforce the intended permission check.

Recommended defensive actions

  • Upgrade phpMyFAQ to 4.1.2 or later.
  • Verify that /admin/api/configuration endpoints enforce userHasPermission(CONFIGURATION_EDIT) rather than only checking authentication.
  • Review other admin controllers for similar authentication-vs-authorization mistakes.
  • Confirm that no non-admin authenticated accounts can reach sensitive configuration APIs in production.
  • Monitor logs for unusual access to /admin/api/configuration endpoints.
  • Reassess any operational assumptions that depended on configuration metadata being restricted to administrators.

Evidence notes

The supplied NVD record identifies the vulnerability as CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N and lists the status as Deferred. The referenced GitHub advisory and VulnCheck advisory both describe the same root cause: a missing permission check in ConfigurationTabController.php affecting 12 configuration API endpoints and allowing information disclosure of system configuration metadata to authenticated users.

Official resources

Publicly disclosed on 2026-05-15 through the referenced GitHub security advisory and VulnCheck advisory, with NVD publishing the CVE record the same day. The supplied NVD metadata was later modified on 2026-05-18 and marks the entry as Defe