VYPR
Moderate severityNVD Advisory· Published Jan 24, 2026· Updated Jan 26, 2026

phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user

CVE-2026-24421

Description

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyfaq/phpmyfaqPackagist
< 4.0.174.0.17
thorsten/phpmyfaqPackagist
< 4.0.174.0.17

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.