Moderate severityNVD Advisory· Published Jan 24, 2026· Updated Jan 26, 2026
phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user
CVE-2026-24421
Description
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyfaq/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
thorsten/phpmyfaqPackagist | < 4.0.17 | 4.0.17 |
Affected products
2- ghsa-coords2 versions
< 4.0.17+ 1 more
- (no CPE)range: < 4.0.17
- (no CPE)range: < 4.0.17
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-wm8h-26fv-mg7gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24421ghsaADVISORY
- github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.