phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)
Description
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyFAQ 4.0.16 and below allow authenticated users without the dlattachment permission to download attachments due to flawed permission checks.
Vulnerability
Description
phpMyFAQ versions 4.0.16 and below contain a broken access control vulnerability in the attachment download functionality. The root cause lies in attachment.php, where the permission check improperly validates authorization. The code uses isset($permission['dlattachment'])dlattachment']) to verify the right, but isset() returns true even when the permission value is false. This means the mere presence of the key in the permissions array is treated as proof of authorization, regardless of its actual boolean value is ignored [1][3].
Exploitation
An authenticated user without the dlattachment right can exploit this by sending a direct request to the attachment download endpoint. The flawed conditional expression ($groupPermission || ($groupPermission && $userPermission)) further simplifies to $groupPermission for some permission modes, bypassing user-level restrictions. The attack requires a non-admin user account and an FAQ record with an attachment, with guest downloads disabled [3].
Impact
Successful exploitation allows an attacker to download any FAQ attachment, leading to a confidentiality breach. Depending on the content of the attachments, this could expose sensitive documents or confidential information [1][3].\.
Mitigation
The issue has been fixed in phpMyFAQ version 4.0.17. Users are strongly advised to upgrade to this version or later. No workaround is mentioned in the advisory [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyfaq/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
thorsten/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
Affected products
2- Range: <=4.0.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7p9h-m7m8-vhhvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24420ghsaADVISORY
- github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.