VYPR
← All advisories
Low severityNVD Advisory· Published Jun 8, 2026

CVE-2026-48488

CVE-2026-48488

Description

phpMyFAQ versions prior to 4.1.4 use the cryptographically broken SHA-1 algorithm for hashing attachment passwords, allowing attackers to bypass protection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyFAQ versions prior to 4.1.4 use the cryptographically broken SHA-1 algorithm for hashing attachment passwords, allowing attackers to bypass protection.

Vulnerability

phpMyFAQ versions prior to 4.1.4 store attachment passwords hashed using the SHA-1 algorithm. SHA-1 is a cryptographically broken algorithm that has been vulnerable to collision attacks since 2017 [1, 2]. The affected file is phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php [2].

Exploitation

An attacker can generate SHA-1 collisions to bypass attachment protection. If an attacker gains access to the database, they could potentially crack the attachment passwords in under a minute due to the weakness of SHA-1 [2].

Impact

Successful exploitation allows an attacker to bypass attachment protection mechanisms. If the database is compromised, an attacker can easily crack the attachment passwords, leading to unauthorized access to protected attachments [2].

Mitigation

phpMyFAQ version 4.1.4 addresses this vulnerability by no longer hashing attachment keys with SHA-1 [1]. Users should update to version 4.1.4 or later. No workarounds are specified in the available references [2].

References
  1. fix: stop hashing attachment keys with SHA-1 · thorsten/phpMyFAQ@1aa9be6
  2. Weak Cryptography - SHA1 for Password Hashing

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
1aa9be6f8a2f

fix: stop hashing attachment keys with SHA-1

https://github.com/thorsten/phpmyfaqThorsten RinneMay 21, 2026via nvd-ref
commit
2 files changed · +11 47
  • phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php+8 27 modified
    @@ -70,11 +70,6 @@ abstract class AbstractAttachment
      */
     protected string $virtualHash = '';
 
-    /**
-     * If this is set, the sh1 hashed key we got must equal to it.
-     */
-    protected string $passwordHash = '';
-
     /**
      * Filesize in bytes.
      */
@@ -118,12 +113,12 @@ protected function getMeta(): bool
         $hasMeta = false;
 
         $sql = sprintf('
-            SELECT 
-                record_id, record_lang, real_hash, virtual_hash, password_hash,
+            SELECT
+                record_id, record_lang, real_hash, virtual_hash,
                 filename, filesize, encrypted, mime_type
             FROM
                 %sfaqattachment
-            WHERE 
+            WHERE
                 id = %d', Database::getTablePrefix(), $this->id);
 
         $result = $this->databaseDriver->query($sql);
@@ -135,7 +130,6 @@ protected function getMeta(): bool
                 $this->recordLang = $assoc['record_lang'];
                 $this->realHash = $assoc['real_hash'];
                 $this->virtualHash = $assoc['virtual_hash'];
-                $this->passwordHash = $assoc['password_hash'];
                 $this->filename = $assoc['filename'];
                 $this->filesize = (int) $assoc['filesize'];
                 $this->encrypted = (bool) $assoc['encrypted'];
@@ -154,26 +148,14 @@ public function buildUrl(): string
     }
 
     /**
-     * Set encryption key.
+     * Set an encryption key.
      *
      * @param string|null $key Encryption key
-     * @param bool        $default if the key is default system-wide
      */
-    public function setKey(?string $key, bool $default = true): void
+    public function setKey(?string $key): void
     {
         $this->key = $key;
         $this->encrypted = null !== $key;
-        // Not default means the key was set explicitly
-        // for this attachment, so let's hash it
-        if (!$this->encrypted) {
-            return;
-        }
-
-        if ($default) {
-            return;
-        }
-
-        $this->passwordHash = sha1((string) $key);
     }
 
     /**
@@ -236,19 +218,18 @@ public function saveMeta(): int
 
             $sql = sprintf(
                 "
-                INSERT INTO 
+                INSERT INTO
                     %s
                 (id, record_id, record_lang, real_hash, virtual_hash,
-                password_hash, filename, filesize, encrypted, mime_type)
+                filename, filesize, encrypted, mime_type)
                     VALUES
-                (%d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, '%s')",
+                (%d, %d, '%s', '%s', '%s', '%s', %d, %d, '%s')",
                 $attachmentTableName,
                 $this->id,
                 $this->recordId,
                 $this->databaseDriver->escape($this->recordLang),
                 $this->databaseDriver->escape($this->realHash),
                 $this->databaseDriver->escape($this->virtualHash),
-                $this->databaseDriver->escape($this->passwordHash),
                 $this->databaseDriver->escape($this->filename),
                 $this->filesize,
                 $this->encrypted ? 1 : 0,
  • tests/phpMyFAQ/Attachment/AbstractAttachmentTest.php+3 20 modified
    @@ -204,37 +204,21 @@ public function testSetRecordLang(): void
         $this->assertEquals('fr', $property->getValue($this->attachment));
     }
 
-    public function testSetKeyWithDefaultEncryption(): void
+    public function testSetKeyWithEncryption(): void
     {
-        $this->attachment->setKey('secret123', true);
+        $this->attachment->setKey('secret123');
 
         $reflection = new ReflectionClass($this->attachment);
         $keyProperty = $reflection->getProperty('key');
         $encryptedProperty = $reflection->getProperty('encrypted');
-        $passwordHashProperty = $reflection->getProperty('passwordHash');
 
         $this->assertEquals('secret123', $keyProperty->getValue($this->attachment));
         $this->assertTrue($encryptedProperty->getValue($this->attachment));
-        $this->assertEquals('', $passwordHashProperty->getValue($this->attachment));
-    }
-
-    public function testSetKeyWithCustomEncryption(): void
-    {
-        $this->attachment->setKey('custom456', false);
-
-        $reflection = new ReflectionClass($this->attachment);
-        $keyProperty = $reflection->getProperty('key');
-        $encryptedProperty = $reflection->getProperty('encrypted');
-        $passwordHashProperty = $reflection->getProperty('passwordHash');
-
-        $this->assertEquals('custom456', $keyProperty->getValue($this->attachment));
-        $this->assertTrue($encryptedProperty->getValue($this->attachment));
-        $this->assertEquals(sha1('custom456'), $passwordHashProperty->getValue($this->attachment));
     }
 
     public function testSetKeyWithNull(): void
     {
-        $this->attachment->setKey(null, true);
+        $this->attachment->setKey(null);
 
         $reflection = new ReflectionClass($this->attachment);
         $keyProperty = $reflection->getProperty('key');
@@ -256,7 +240,6 @@ public function testSaveMetaNewAttachment(): void
             'recordLang' => 'en',
             'realHash' => 'real123',
             'virtualHash' => 'virtual456',
-            'passwordHash' => 'pwd789',
             'filename' => 'test.pdf',
             'filesize' => 1024,
             'encrypted' => true,

Vulnerability mechanics

Root cause

"Attachment passwords were hashed using the cryptographically broken SHA-1 algorithm."

Attack vector

An attacker can exploit this vulnerability by generating SHA-1 collisions to bypass attachment protection. This could lead to password cracking if the database is compromised, with an estimated cracking time of less than a minute for standard attachments [ref_id=2]. The vulnerability lies in the hashing of attachment keys with SHA-1, which provides weak protection [ref_id=1].

Affected code

The vulnerability is located in the `AbstractAttachment.php` file within the `phpMyFAQ` application. Specifically, the `passwordHash` property and its usage in hashing attachment keys with `sha1()` were removed. The `setKey` method and the SQL query for retrieving attachment metadata were modified to no longer handle or store the SHA-1 hashed password [ref_id=1].

What the fix does

The patch removes the `passwordHash` property and its associated logic from the `AbstractAttachment` class. It also removes the `sha1()` hashing from the `setKey` method and stops selecting the `password_hash` column in the database query. This change eliminates the use of the weak SHA-1 hashing algorithm for attachment passwords, thereby addressing the vulnerability [ref_id=1].

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.