PatchSiren cyber security CVE debrief
CVE-2026-45009 thorsten CVE debrief
CVE-2026-45009 is a medium-severity authorization weakness in phpMyFAQ before 4.1.2. The issue lets a logged-in frontend user reach admin-api routes that should be restricted to privileged administrators. As disclosed, the exposed backend data can include dashboard version details, LDAP configuration, Elasticsearch statistics, and health-check information. This is primarily an access-control failure rather than a code-execution issue, but it can still reveal operational information that should not be visible to ordinary accounts.
- Vendor
- thorsten
- Product
- phpmyfaq
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
phpMyFAQ operators, administrators, and security teams should care most, especially in deployments where frontend user accounts are broadly available. Any environment exposing admin-api endpoints to authenticated non-admin users should be reviewed. Teams relying on backend configuration secrecy or internal health data should prioritize validation and upgrade planning.
Technical summary
According to the supplied disclosure, phpMyFAQ before 4.1.2 checks whether a user is logged in when handling certain admin-api routes, but does not verify that the user has backend administrative privileges. That insufficient authorization check means ordinary authenticated users can call sensitive administrative endpoints. The disclosed impact is limited to information exposure: backend dashboard version data, LDAP configuration, Elasticsearch statistics, and health-check data. The mapped weakness is CWE-863 (Incorrect Authorization).
Defensive priority
Medium. The flaw requires an authenticated user, does not indicate direct code execution, and is reported with CVSS 3.1 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Even so, the exposed administrative and operational details can help an attacker map the environment and should be corrected promptly.
Recommended defensive actions
- Upgrade phpMyFAQ to 4.1.2 or later.
- Review all admin-api routes and confirm backend privilege checks are enforced for every sensitive endpoint.
- Audit logs for access to admin-api endpoints by non-administrative accounts.
- Restrict frontend account creation and remove unnecessary authenticated user access where practical.
- Treat exposed LDAP, Elasticsearch, dashboard, and health-check data as sensitive and rotate any secrets if they may have been revealed.
Evidence notes
The analysis is based only on the supplied CVE record and linked disclosures. The source data identifies phpMyFAQ before 4.1.2, an insufficient authorization issue in admin-api routes, CWE-863, and the impact to backend operational information. NVD lists the record as Deferred. No exploit instructions or unsupported impact claims are included.
Official resources
Published in the supplied source corpus on 2026-05-15 and modified on 2026-05-18. The source metadata ties the disclosure to the phpMyFAQ GitHub security advisory and the VulnCheck advisory; NVD marks the record as Deferred.