CVE-2022-23807
Description
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated phpMyAdmin users can bypass two-factor authentication for future logins by manipulating their account settings.
Vulnerability
An issue exists in phpMyAdmin versions 4.9 before 4.9.8 and 5.1 before 5.1.2 where a valid authenticated user can manipulate their account to bypass two-factor authentication for future login instances [1][2]. The vulnerability lies in how phpMyAdmin processes a user's two-factor status, allowing an authenticated user to disable or bypass 2FA without proper re-authentication [2].
Exploitation
An attacker must already be authenticated to phpMyAdmin (presumably using their two-factor authentication method) to prepare their account for the bypass [2]. The exact sequence of actions is not publicly detailed, but it involves manipulating account settings to disable or bypass two-factor authentication for subsequent logins [2].
Impact
Successful exploitation allows the attacker to bypass two-factor authentication for that account in future login instances, weakening the security of the account [2]. However, the vendor notes that a user is already permitted to disable two-factor authentication through conventional means, so this vulnerability is not considered severe [2].
Mitigation
Upgrade to phpMyAdmin 4.9.8, 5.1.2, or newer [2]. The fix is implemented in commit ca54f1db050859eb8555875c6aa5d7796fdf4b32 [3]. No workaround is provided; upgrading is the recommended solution [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.9.0, < 4.9.8 | 4.9.8 |
phpmyadmin/phpmyadminPackagist | >= 5.1.0, < 5.1.2 | 5.1.2 |
Affected products
8- phpMyAdmin/phpMyAdmindescription
- osv-coords7 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP4
>= 4.9.0, < 4.9.8+ 6 more
- (no CPE)range: >= 4.9.0, < 4.9.8
- (no CPE)range: >= 4.9.0, < 4.9.8
- (no CPE)range: < 4.9.11-bp153.2.6.1
- (no CPE)range: < 5.2.1-bp154.2.3.1
- (no CPE)range: < 4.9.11-bp153.2.6.1
- (no CPE)range: < 4.9.11-bp153.2.6.1
- (no CPE)range: < 5.2.1-bp154.2.3.1
Patches
1ca54f1db0508security - Fix - 2FA/U2F can be disabled without any code change
1 file changed · +16 −11
libraries/classes/DatabaseInterface.php+16 −11 modified@@ -1563,17 +1563,22 @@ public function setCollation($collation) */ public function initRelationParamsCache() { - if (strlen($GLOBALS['db'])) { - $cfgRelation = $this->relation->getRelationsParam(); - if (empty($cfgRelation['db'])) { - $this->relation->fixPmaTables($GLOBALS['db'], false); - } - } - $cfgRelation = $this->relation->getRelationsParam(); - if (empty($cfgRelation['db']) && isset($GLOBALS['dblist'])) { - if ($GLOBALS['dblist']->databases->exists('phpmyadmin')) { - $this->relation->fixPmaTables('phpmyadmin', false); - } + $storageDbName = $GLOBALS['cfg']['Server']['pmadb'] ?? ''; + // Use "phpmyadmin" as a default database name to check to keep the behavior consistent + $storageDbName = $storageDbName !== null + && is_string($storageDbName) + && $storageDbName !== '' ? $storageDbName : 'phpmyadmin'; + + // This will make users not having explicitly listed databases + // have config values filled by the default phpMyAdmin storage table name values + $this->relation->fixPmaTables($storageDbName, false); + + // This global will be changed if fixPmaTables did find one valid table + $storageDbName = $GLOBALS['cfg']['Server']['pmadb'] ?? ''; + + // Empty means that until now no pmadb was found eligible + if (empty($storageDbName)) { + $this->relation->fixPmaTables($GLOBALS['db'], false); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8wf2-3ggj-78q9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23807ghsaADVISORY
- security.gentoo.org/glsa/202311-17ghsavendor-advisoryWEB
- github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5d7796fdf4b32ghsaWEB
- www.phpmyadmin.net/security/PMASA-2022-1ghsaWEB
- www.phpmyadmin.net/security/PMASA-2022-1/mitre
News mentions
0No linked articles in our index yet.