{"vulnerability": "GHSA-gp95-j463-vv28", "sightings": [{"uuid": "a8de795d-2cbb-4e41-83cc-c8657822d21e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-gp95-j463-vv28", "type": "seen", "source": "https://gist.github.com/alon710/ab000f54d49f4216c2a377595eab5831", "content": "# GHSA-GP95-J463-VV28: GHSA-GP95-J463-VV28: Authentication Bypass via Insecure Default Token in phpMyFAQ REST API\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-05-20\n> **Full Report:** https://cvereports.com/reports/GHSA-GP95-J463-VV28\n\n## Summary\nphpMyFAQ contains an authentication bypass vulnerability within its REST API architecture introduced in version 4.0. The vulnerability stems from insecure default initialization of the API client token to an empty string, coupled with flawed comparative logic in the authentication controller. This allows unauthenticated remote attackers to bypass authorization checks and interact with administrative API endpoints.\n\n## TL;DR\nAn insecure default configuration in phpMyFAQ versions prior to 4.1.3 initializes the REST API token to an empty string. Unauthenticated attackers can bypass authentication and inject arbitrary content by supplying an empty `x-pmf-token` HTTP header.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **Vulnerability Type**: Authentication Bypass\n- **CWE ID**: CWE-1188\n- **CVSS Base Score**: 7.5\n- **Attack Vector**: Network\n- **Authentication Required**: None\n- **Integrity Impact**: High\n- **Exploit Status**: PoC Available\n\n## Affected Systems\n\n- phpMyFAQ REST API v4.0\n- phpMyFAQ Core Backend\n- **phpMyFAQ**: >= 4.0.0, < 4.1.3 (Fixed in: `4.1.3`)\n\n## Mitigation\n\n- Upgrade the software to a patched version\n- Manually define a secure API client token in configuration\n- Disable the REST API functionality if unused\n\n**Remediation Steps:**\n1. Verify current phpMyFAQ version via the administration dashboard.\n2. If running version 4.0.x up to 4.1.2, download the 4.1.3 update package.\n3. Apply the update following the official phpMyFAQ upgrade documentation.\n4. Navigate to Configuration -> API in the admin panel and ensure the 'apiClientToken' contains a secure, random string.\n5. Alternatively, disable 'enableAccess' under API settings if REST features are unneeded.\n\n## References\n\n- [GitHub Advisory Database: GHSA-GP95-J463-VV28](https://github.com/advisories/GHSA-GP95-J463-VV28)\n- [phpMyFAQ GitHub Repository](https://github.com/thorsten/phpMyFAQ)\n- [OSV Record for GHSA-GP95-J463-VV28](https://osv.dev/vulnerability/GHSA-gp95-j463-vv28)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-GP95-J463-VV28) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-20T19:10:50.000000Z"}]}