phpMyFAQ is an open-source FAQ web application widely used for managing frequently asked questions on websites. Versions prior to 4.0.18 contain a critical vulnerability identified as CVE-2026-27836, classified under CWE-862 (Missing Authorization). The vulnerability exists in the WebAuthn prepare endpoint located at `/api/webauthn/prepare`. This endpoint is responsible for preparing WebAuthn authentication but, due to missing authorization checks, allows unauthenticated attackers to create new active user accounts without any form of authentication, CSRF protection, CAPTCHA, or configuration validation. Even if user registration is disabled, attackers can exploit this flaw to create an unlimited number of accounts. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). This means the flaw can be exploited remotely without authentication or user interaction, primarily compromising the integrity of the user database by unauthorized account creation. Although no known exploits are currently reported in the wild, the flaw poses a significant risk to organizations relying on phpMyFAQ for user management and content delivery. The issue was addressed and fixed in phpMyFAQ version 4.0.18.

The primary impact of this vulnerability is on the integrity of the phpMyFAQ user management system. Attackers can create unlimited unauthorized user accounts, potentially leading to abuse such as privilege escalation attempts, spam, or unauthorized access to restricted content if combined with other vulnerabilities. While confidentiality and availability are not directly affected, the presence of unauthorized accounts can undermine trust in the system and complicate administrative oversight. Organizations using vulnerable versions may face increased risk of account-based attacks, fraudulent activity, and potential reputational damage. The ease of exploitation and lack of required privileges or user interaction make this vulnerability particularly dangerous in public-facing deployments. Additionally, automated exploitation could lead to resource exhaustion or denial of service indirectly by overwhelming the system with bogus accounts.

The most effective mitigation is to upgrade phpMyFAQ to version 4.0.18 or later, where the vulnerability is fixed. Until upgrading is possible, organizations should implement strict network-level access controls to restrict access to the `/api/webauthn/prepare` endpoint, such as IP whitelisting or web application firewall (WAF) rules that detect and block suspicious account creation attempts. Administrators should also review user registration settings and monitor logs for unusual spikes in account creation activity. Implementing additional authentication or CAPTCHA mechanisms at the application or proxy level can help prevent automated abuse. Regularly auditing user accounts and removing suspicious or unauthorized accounts will reduce risk. Finally, organizations should stay informed about updates from the phpMyFAQ project and apply security patches promptly.