phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user
Description
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyFAQ 4.0.16 and below lacks authorization on /api/setup/backup, allowing any authenticated user to trigger a configuration backup.
Root
Cause
The SetupController.php uses userIsAuthenticated() on the /api/setup/backup endpoint but fails to verify that the requester has configuration or admin permissions [1][3]. This means the endpoint checks only authentication, not authorization, and any logged-in user can access it regardless of their assigned role.
Exploitation
An attacker who is authenticated as a low-privileged user can call the backup endpoint via an HTTP POST request. The official advisory demonstrates the PoC: after logging in as a non-admin user, sending a POST to /api/setup/backup triggers a configuration backup and returns a link to the generated ZIP file [3]. No additional privileges or special access is required.
Impact
By exploiting this flaw, an attacker gains access to a backup of the phpMyFAQ configuration. The backup may contain sensitive information such as database credentials, encryption keys, or other secrets. If the web server is misconfigured and the ZIP is stored in a web-accessible directory, the backup can be directly downloaded, leading to exposure of confidential data [3].
Mitigation
The vulnerability is fixed in phpMyFAQ version 4.0.17 [1][3]. Users running any earlier version should upgrade immediately to the patched release. No workaround is mentioned in the sources; upgrading guide; updating is the recommended action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyfaq/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
thorsten/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
Affected products
2- Range: <=4.0.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wm8h-26fv-mg7gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24421ghsaADVISORY
- github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.