phpMyFAQ is an open-source FAQ web application widely used for managing frequently asked questions on websites. The vulnerability identified as CVE-2026-27836 (CWE-862: Missing Authorization) affects phpMyFAQ versions earlier than 4.0.18. Specifically, the WebAuthn prepare endpoint located at `/api/webauthn/prepare` lacks any form of authorization, CSRF protection, captcha, or configuration validation. This endpoint is responsible for preparing WebAuthn credentials but, due to the missing authorization checks, allows unauthenticated attackers to create new active user accounts arbitrarily. Notably, this flaw persists even when the registration feature is disabled, effectively bypassing intended access controls. The vulnerability can be exploited remotely without any user interaction or privileges, making it highly accessible to attackers. While the vulnerability does not disclose sensitive information or disrupt service availability, it severely impacts the integrity of the system by enabling unauthorized account creation. Attackers could leverage this to flood the system with bogus accounts, potentially facilitating further attacks such as privilege escalation, spam, or denial of service through resource exhaustion. The issue was addressed and fixed in phpMyFAQ version 4.0.18, which introduced proper authorization checks and protections on the WebAuthn prepare endpoint. No known exploits are currently reported in the wild, but the ease of exploitation and high impact warrant immediate attention from users of affected versions.

The primary impact of CVE-2026-27836 is on the integrity of phpMyFAQ installations, as unauthorized attackers can create unlimited active user accounts without authentication. This undermines trust in the user management system and can lead to several downstream risks, including privilege escalation if attackers manage to gain elevated roles via created accounts or exploit other vulnerabilities. The lack of registration restrictions can also result in spam accounts, cluttering the system and potentially degrading performance. Although confidentiality and availability are not directly affected, the integrity compromise can facilitate further attacks that may impact these areas. Organizations relying on phpMyFAQ for customer support, knowledge bases, or internal documentation may face operational disruptions and reputational damage if attackers abuse this vulnerability. The vulnerability’s remote and unauthenticated exploitability increases the risk of widespread abuse, especially in environments where phpMyFAQ is exposed to the internet. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, particularly as details become more widely known.

The most effective mitigation is to upgrade phpMyFAQ installations to version 4.0.18 or later, where the vulnerability is patched with proper authorization checks on the WebAuthn prepare endpoint. Until upgrading is possible, organizations should implement strict network-level access controls to restrict access to the vulnerable endpoint, such as IP whitelisting or web application firewall (WAF) rules that block unauthenticated requests to `/api/webauthn/prepare`. Monitoring and alerting on unusual account creation patterns can help detect exploitation attempts early. Disabling WebAuthn features if not in use can reduce the attack surface. Additionally, applying rate limiting on account creation endpoints can mitigate abuse. Reviewing and tightening user role assignments and permissions can limit the impact of unauthorized accounts. Finally, organizations should ensure that registration is properly disabled in configuration settings and verify that no other endpoints suffer from similar missing authorization issues.