phpMyFAQ is an open source FAQ management web application widely used for managing frequently asked questions and related content. In versions 4.0.16 and earlier, a critical design flaw exists in the public API endpoints, specifically in the OpenQuestionController::list() method. This endpoint internally calls Question::getAll() with the parameter showAll=true by default, which causes it to return all questions, including those marked as non-public (isVisible=false). Alongside the content, sensitive user information such as email addresses is also exposed. Similar issues are present in other API endpoints handling comments, news, and FAQ data. The root cause is insufficient access control checks on these API endpoints, allowing unauthenticated remote attackers to retrieve sensitive information without any privileges or user interaction. This exposure can facilitate targeted phishing campaigns by harvesting user emails and unauthorized access to content intended to be private. The vulnerability has been assigned CVE-2026-24422 and is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3 (medium severity), reflecting network attack vector, no privileges required, no user interaction, and limited confidentiality impact. The issue was resolved in phpMyFAQ version 4.0.17 by enforcing proper access controls on the affected API endpoints.

For European organizations using phpMyFAQ versions prior to 4.0.17, this vulnerability poses a significant privacy risk. Exposure of user email addresses can lead to increased phishing attacks targeting employees or customers, potentially resulting in credential theft or social engineering compromises. Disclosure of non-public FAQ content may reveal sensitive internal information or business processes, undermining confidentiality and trust. Since the vulnerability is exploitable remotely without authentication, attackers can easily scan and harvest data from publicly accessible phpMyFAQ instances. This could also damage organizational reputation and lead to regulatory compliance issues under GDPR due to unauthorized exposure of personal data. The impact is particularly critical for sectors handling sensitive information such as government, healthcare, finance, and critical infrastructure within Europe.

European organizations should immediately upgrade phpMyFAQ installations to version 4.0.17 or later, where the vulnerability is patched. If immediate upgrade is not feasible, restrict access to phpMyFAQ API endpoints by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. Review and audit API access logs for suspicious activity indicating data harvesting attempts. Disable or restrict public API endpoints that are not essential. Implement web application firewalls (WAF) with custom rules to detect and block anomalous API requests targeting the affected endpoints. Conduct a thorough review of user data exposure and notify affected users if email addresses were compromised, following GDPR breach notification requirements. Regularly monitor vendor advisories for any updates or related vulnerabilities.