CVE-2026-24420: CWE-284: Improper Access Control in thorsten phpMyFAQ
CVE-2026-24420 is a medium severity improper access control vulnerability in phpMyFAQ versions prior to 4. 0. 17. It allows authenticated users lacking the 'dlattachment' permission to download FAQ attachments due to flawed permission checks in attachment. php. The vulnerability stems from improper validation of authorization keys and incorrect conditional logic in group and user permission handling. Exploitation requires authentication but no user interaction beyond that. The vulnerability impacts confidentiality by exposing potentially sensitive attachments without proper authorization. No known exploits are currently reported in the wild. The issue has been fixed in phpMyFAQ version 4.
AI Analysis
Technical Summary
phpMyFAQ is an open-source FAQ web application widely used to manage frequently asked questions and related attachments. Versions 4.0.16 and earlier contain an improper access control vulnerability (CWE-284) identified as CVE-2026-24420. The vulnerability arises because the application’s attachment.php script improperly validates the presence of a 'right key' as sufficient proof of authorization to download attachments. Additionally, the logic governing group and user permissions contains flawed conditional expressions that fail to correctly enforce the 'dlattachment' permission. As a result, authenticated users without explicit download rights can access and download FAQ attachments they should not be authorized to view. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based. The CVSS v3.1 base score is 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The vulnerability has been addressed in phpMyFAQ version 4.0.17 by correcting the permission checks and authorization logic. No public exploits or active exploitation campaigns have been reported to date.
Potential Impact
For European organizations using phpMyFAQ versions prior to 4.0.17, this vulnerability poses a risk of unauthorized disclosure of sensitive or confidential information contained in FAQ attachments. This could include internal documentation, proprietary data, or personal information, potentially violating data protection regulations such as GDPR. The confidentiality breach could lead to reputational damage, regulatory penalties, and loss of trust. Since the vulnerability requires authentication, the risk is limited to users with some level of access, but insider threats or compromised accounts could exploit this flaw. The lack of impact on integrity and availability reduces the risk of service disruption or data tampering. However, organizations relying on phpMyFAQ for knowledge management should consider the sensitivity of their stored attachments and the potential consequences of unauthorized access.
Mitigation Recommendations
European organizations should immediately upgrade phpMyFAQ installations to version 4.0.17 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement strict access controls on the web application, including limiting authenticated user permissions to only those necessary. Conduct a thorough audit of user accounts and permissions to ensure no excessive rights are granted. Monitor access logs for unusual attachment download activity that could indicate exploitation attempts. Consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious requests to attachment.php. Additionally, review and sanitize all FAQ attachments to ensure no sensitive information is unnecessarily exposed. Regularly update and patch phpMyFAQ and related components to mitigate similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2026-24420: CWE-284: Improper Access Control in thorsten phpMyFAQ
Description
CVE-2026-24420 is a medium severity improper access control vulnerability in phpMyFAQ versions prior to 4. 0. 17. It allows authenticated users lacking the 'dlattachment' permission to download FAQ attachments due to flawed permission checks in attachment. php. The vulnerability stems from improper validation of authorization keys and incorrect conditional logic in group and user permission handling. Exploitation requires authentication but no user interaction beyond that. The vulnerability impacts confidentiality by exposing potentially sensitive attachments without proper authorization. No known exploits are currently reported in the wild. The issue has been fixed in phpMyFAQ version 4.
AI-Powered Analysis
Technical Analysis
phpMyFAQ is an open-source FAQ web application widely used to manage frequently asked questions and related attachments. Versions 4.0.16 and earlier contain an improper access control vulnerability (CWE-284) identified as CVE-2026-24420. The vulnerability arises because the application’s attachment.php script improperly validates the presence of a 'right key' as sufficient proof of authorization to download attachments. Additionally, the logic governing group and user permissions contains flawed conditional expressions that fail to correctly enforce the 'dlattachment' permission. As a result, authenticated users without explicit download rights can access and download FAQ attachments they should not be authorized to view. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based. The CVSS v3.1 base score is 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The vulnerability has been addressed in phpMyFAQ version 4.0.17 by correcting the permission checks and authorization logic. No public exploits or active exploitation campaigns have been reported to date.
Potential Impact
For European organizations using phpMyFAQ versions prior to 4.0.17, this vulnerability poses a risk of unauthorized disclosure of sensitive or confidential information contained in FAQ attachments. This could include internal documentation, proprietary data, or personal information, potentially violating data protection regulations such as GDPR. The confidentiality breach could lead to reputational damage, regulatory penalties, and loss of trust. Since the vulnerability requires authentication, the risk is limited to users with some level of access, but insider threats or compromised accounts could exploit this flaw. The lack of impact on integrity and availability reduces the risk of service disruption or data tampering. However, organizations relying on phpMyFAQ for knowledge management should consider the sensitivity of their stored attachments and the potential consequences of unauthorized access.
Mitigation Recommendations
European organizations should immediately upgrade phpMyFAQ installations to version 4.0.17 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement strict access controls on the web application, including limiting authenticated user permissions to only those necessary. Conduct a thorough audit of user accounts and permissions to ensure no excessive rights are granted. Monitor access logs for unusual attachment download activity that could indicate exploitation attempts. Consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious requests to attachment.php. Additionally, review and sanitize all FAQ attachments to ensure no sensitive information is unnecessarily exposed. Regularly update and patch phpMyFAQ and related components to mitigate similar vulnerabilities.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-22T18:19:49.175Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6974300c4623b1157c7863fd
Added to database: 1/24/2026, 2:35:56 AM
Last enriched: 1/24/2026, 2:50:37 AM
Last updated: 1/24/2026, 3:37:51 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-24469: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in frustratedProton http-server
HighCVE-2026-24422: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in thorsten phpMyFAQ
MediumCVE-2025-13952: CWE - CWE-416: Use After Free (4.18) in Imagination Technologies Graphics DDK
HighCVE-2026-24421: CWE-862: Missing Authorization in thorsten phpMyFAQ
MediumCVE-2026-24412: CWE-20: Improper Input Validation in InternationalColorConsortium iccDEV
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.