CVE-2026-46366 thorsten CVE debrief

Who should care

Administrators and developers running phpMyFAQ, especially deployments that use restricted FAQs for specific users or groups. Security teams should also review any environment where FAQ titles or redirect behavior may reveal sensitive metadata.

Technical summary

The supplied description says phpMyFAQ before 4.1.2 fails to enforce authorization when mapping solution IDs back to FAQ entries. Because getIdFromSolutionId() lacks permission filtering, an unauthenticated requester can iterate sequential solution IDs and observe restricted FAQ titles. The disclosure can occur via redirect Location headers and page canonical links, leaking metadata even when the underlying FAQ content is access-controlled. NVD metadata maps the weakness to CWE-863 (incorrect authorization).

Defensive priority

High

Recommended defensive actions

• Upgrade phpMyFAQ to 4.1.2 or later.
• Verify that getIdFromSolutionId() and related FAQ lookup paths enforce the same authorization checks as normal content access.
• Review whether /solution_id_{id}.html responses leak titles or other metadata in redirects, canonical links, or page markup.
• Audit logs for sequential solution ID requests that may indicate enumeration attempts.
• Limit exposure of restricted FAQ metadata and confirm that private entries are not discoverable through alternate URL forms.

Evidence notes

This debrief is based on the provided CVE record, NVD metadata, and the linked public advisories. The supplied description states that phpMyFAQ before 4.1.2 is affected, that getIdFromSolutionId() lacks permission filtering, and that unauthenticated attackers may enumerate restricted FAQ entries and read titles via /solution_id_{id}.html. NVD metadata lists the vulnerability status as Deferred and associates the issue with CWE-863. The CVE was published on 2026-05-15 and modified on 2026-05-18.

Official resources