CVE-2026-49205MEDIUMCVSS 6.5

phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)

Published Jun 23, 2026·Updated Jun 23, 2026

Description

Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermission(PermissionType::BACKUP). The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken() (shared API key) but never call userHasPermission(), allowing any API token holder to perform admin operations regardless of their user permissions. ## Summary CVE-2026-24421 fixed BackupController by adding: $this->userHasPermission(PermissionType::BACKUP); The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, NOT the individual user's role permissions. ## Affected Endpoints 1. src/phpMyFAQ/Controller/Api/CategoryController.php → create() POST /api/v4.0/category Missing: userHasPermission(PermissionType::CATEGORY_ADD) Any API token holder can create categories regardless of user role. 2. src/phpMyFAQ/Controller/Api/FaqController.php → create() POST /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_ADD) Any API token holder can create FAQ entries regardless of user role. 3. src/phpMyFAQ/Controller/Api/FaqController.php → update() PUT /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_EDIT) Any API token holder can update any FAQ entry regardless of user role. 4. src/phpMyFAQ/Controller/Api/QuestionController.php → create() POST /api/v4.0/question Missing: permission check Any API token holder can create questions regardless of user role. ## Root Cause All 4 methods only call: $this->hasValidToken(); ← shared API key, not per-user The fixed BackupController correctly calls: $this->userHasPermission(PermissionType::BACKUP); PermissionType::CATEGORY_ADD, FAQ_ADD, FAQ_EDIT all exist in src/phpMyFAQ/Enums/PermissionType.php — they just are not being used. ## Fix Add userHasPermission() before the logic in each method: // CategoryController.create() $this->userHasPermission(PermissionType::CATEGORY_ADD); // FaqController.create() $this->userHasPermission(PermissionType::FAQ_ADD); // FaqController.update() $this->userHasPermission(PermissionType::FAQ_EDIT); ## Reporter CONTACT Santhoshini Ganta Github:@santhoshinipayload Email: santhoshinive75@gmail.com LinkedIn: http://linkedin.com/in/santhoshini-g-1440621ba

Affected Packages (2)

phpmyfaq/phpmyfaqCOMPOSER
Fixed in 4.1.4
thorsten/phpmyfaqCOMPOSER
Fixed in 4.1.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free