CVE-2026-46359

In phpMyFAQ versions prior to 4.1.2, the CurrentUser::setTokenData() method constructs a SQL UPDATE statement using sprintf and directly interpolates OAuth token fields (refresh_token, access_token, code_verifier, and json_encode($token['jwt'])) without calling $db->escape(). This contrasts with sibling methods like setAuthSource() and setRememberMe() that properly escape user-controlled values [1]. The omission allows SQL injection when token fields contain SQL metacharacters.

To exploit this, an attacker must be authenticated, for example via Azure AD OAuth, and must have token claims (such as a display name or JWT claim) that include a single quote or other SQL metacharacters. For instance, a display name like "O'Brien" would break the SQL string literal after JSON encoding, enabling the attacker to inject arbitrary SQL commands [2]. The attack requires the attacker to have an account that triggers the OAuth flow and populates these token fields.

Successful exploitation allows an authenticated attacker to execute arbitrary SQL queries against the phpMyFAQ database. This can lead to data exfiltration, modification, or privilege escalation within the application [1][2].

The vulnerability is fixed in phpMyFAQ version 4.1.2. Administrators should upgrade immediately; no workarounds have been published [1]. Organizations using phpMyFAQ with Azure AD authentication should prioritize patching.