PatchSiren cyber security CVE debrief
CVE-2026-45010 thorsten CVE debrief
CVE-2026-45010 is a critical authentication-bypass issue in phpMyFAQ before 4.1.2. The /admin/check endpoint accepts arbitrary user-id parameters without tying the check to an existing session or enforcing meaningful rate limits, allowing an unauthenticated attacker to brute-force a six-digit TOTP and reach administrative access. Because the flaw defeats the intended second factor, the impact is severe even though it does not require prior account compromise.
- Vendor
- thorsten
- Product
- phpmyfaq
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations running phpMyFAQ, especially installations that expose the admin interface to the internet or use TOTP-based two-factor authentication for administrator accounts. Security teams, application owners, and incident response teams should treat this as a high-priority authentication weakness.
Technical summary
According to the supplied disclosure, phpMyFAQ versions before 4.1.2 expose an improper restriction of excessive authentication attempts in /admin/check. The endpoint accepts arbitrary user-id values, does not bind the verification flow to the authenticated session, and lacks effective rate limiting. That combination allows repeated POST requests with sequential token guesses against a target user's six-digit TOTP, making 2FA brute force feasible from an unauthenticated position. NVD metadata in the source corpus lists the weakness as CWE-307 and shows a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
Defensive priority
Critical. This is a remotely reachable, unauthenticated authentication bypass that can lead to full administrative compromise. Remediation should be prioritized immediately on any exposed phpMyFAQ instance.
Recommended defensive actions
- Upgrade phpMyFAQ to version 4.1.2 or later.
- Review whether the /admin/check endpoint is reachable from untrusted networks and restrict access where possible.
- Verify that administrator TOTP checks are bound to the active session and target user context, not arbitrary user-id input.
- Add or confirm effective rate limiting, lockout, and monitoring on authentication and 2FA verification endpoints.
- Audit administrator accounts and recent logins for signs of brute-force activity or unauthorized access.
- If exposure is suspected, rotate administrator credentials and review application and reverse-proxy logs for repeated /admin/check requests.
Evidence notes
The source corpus describes the issue as affecting phpMyFAQ before 4.1.2 and cites an unauthenticated brute-force path through /admin/check that can bypass two-factor authentication. The provided NVD metadata lists CWE-307 and CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. NVD metadata in the corpus also shows vulnStatus: Deferred. The published and modified timestamps supplied for the CVE are 2026-05-15T19:17:01.450Z and 2026-05-18T17:25:39.493Z.
Official resources
Publicly disclosed on 2026-05-15T19:17:01.450Z; the supplied source metadata was last modified on 2026-05-18T17:25:39.493Z.