CVE-2026-46362: Incorrect Authorization in thorsten phpmyfaq
phpMyFAQ versions before 4. 1. 2 have an authorization bypass vulnerability in the AbstractAdministrationController::userHasPermission() function. This flaw occurs because the function does not terminate execution after sending a forbidden response, allowing authenticated users to access admin pages without proper permission checks. Exploiting this vulnerability can expose sensitive information such as admin logs, user data, system details, and application configuration. The vulnerability has a CVSS score of 6. 5, indicating medium severity. There is no explicit vendor advisory or patch information available at this time.
AI Analysis
Technical Summary
CVE-2026-46362 is an authorization bypass vulnerability in phpMyFAQ before version 4.1.2. The issue lies in AbstractAdministrationController::userHasPermission(), which fails to stop execution after returning a forbidden response. As a result, authenticated users with limited privileges can access all admin pages that should be permission-protected. This exposure includes sensitive administrative data and configuration information. The vulnerability is remotely exploitable over the network with low attack complexity and no user interaction required. The CVSS 3.1 base score is 6.5 (medium severity) with high confidentiality impact but no integrity or availability impact. No official patch or remediation details are currently provided.
Potential Impact
An attacker with authenticated access but limited privileges can bypass authorization controls to view all admin pages. This leads to exposure of sensitive information such as administrative logs, user data, system information, and application configuration. There is no indication of integrity or availability impact. The vulnerability could facilitate information disclosure that may aid further attacks or unauthorized access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to authenticated users and monitor for suspicious activity. Avoid granting unnecessary privileges to users. Review application logs for unauthorized access attempts to admin pages. Do not rely solely on this version of phpMyFAQ in sensitive environments until patched.
CVE-2026-46362: Incorrect Authorization in thorsten phpmyfaq
Description
phpMyFAQ versions before 4. 1. 2 have an authorization bypass vulnerability in the AbstractAdministrationController::userHasPermission() function. This flaw occurs because the function does not terminate execution after sending a forbidden response, allowing authenticated users to access admin pages without proper permission checks. Exploiting this vulnerability can expose sensitive information such as admin logs, user data, system details, and application configuration. The vulnerability has a CVSS score of 6. 5, indicating medium severity. There is no explicit vendor advisory or patch information available at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46362 is an authorization bypass vulnerability in phpMyFAQ before version 4.1.2. The issue lies in AbstractAdministrationController::userHasPermission(), which fails to stop execution after returning a forbidden response. As a result, authenticated users with limited privileges can access all admin pages that should be permission-protected. This exposure includes sensitive administrative data and configuration information. The vulnerability is remotely exploitable over the network with low attack complexity and no user interaction required. The CVSS 3.1 base score is 6.5 (medium severity) with high confidentiality impact but no integrity or availability impact. No official patch or remediation details are currently provided.
Potential Impact
An attacker with authenticated access but limited privileges can bypass authorization controls to view all admin pages. This leads to exposure of sensitive information such as administrative logs, user data, system information, and application configuration. There is no indication of integrity or availability impact. The vulnerability could facilitate information disclosure that may aid further attacks or unauthorized access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to authenticated users and monitor for suspicious activity. Avoid granting unnecessary privileges to users. Review application logs for unauthorized access attempts to admin pages. Do not rely solely on this version of phpMyFAQ in sensitive environments until patched.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-13T19:40:27.809Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a076ec4ec166c07b0830aae
Added to database: 5/15/2026, 7:06:44 PM
Last enriched: 5/15/2026, 7:22:34 PM
Last updated: 5/15/2026, 8:10:52 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.