CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-9QV9-8XV6-5P35

GHSA-9qv9-8xv6-5p35: Unauthenticated Password Reset and Enumeration Flaw in phpMyFAQ

Alon Barad
Alon Barad
Software Engineer

May 21, 2026·6 min read·8 visits

Executive Summary (TL;DR)

A weak password recovery mechanism in phpMyFAQ <= 4.1.2 allows unauthenticated attackers to force password resets for targeted users and enumerate valid accounts. The system immediately updates the database password upon receiving a matching username and email, bypassing standard token-based verification.

phpMyFAQ versions 4.1.2 and prior contain a critical logic flaw in the REST API password recovery mechanism. The endpoint processes password resets in a single, unauthenticated step, allowing remote attackers to forcefully change database credentials for arbitrary accounts while facilitating user enumeration through observable response discrepancies.

Vulnerability Overview

GHSA-9qv9-8xv6-5p35 exposes a fundamental logic flaw in the REST API components of phpMyFAQ, specifically affecting version 4.1.2 and earlier. The application implements an insecure password recovery mechanism that violates standard identity verification workflows.

Secure password reset flows require an out-of-band verification step, typically generating a cryptographic token sent to the user's registered email address. The password is only updated in the database after the user submits this valid, time-bound token back to the server.

In the vulnerable implementation, phpMyFAQ processes the password reset in a single, synchronous step. Upon receiving a request containing a valid username and corresponding email address, the application immediately generates a new password and overwrites the existing credentials in the database before dispatching the notification email.

This behavior introduces two distinct security issues: a Weak Password Recovery Mechanism (CWE-640) and Information Exposure Through Discrepancy (CWE-204). Remote, unauthenticated attackers can leverage these flaws to disrupt access for legitimate users and accurately map registered accounts on the target system.

Root Cause Analysis

The vulnerability originates in the UnauthorizedUserController class, which handles public-facing API requests that do not require an active session. The specific function at fault is the updatePassword method, mapped to the PUT /api/index.php/user/password/update endpoint.

When a client submits a PUT request to this endpoint, the application extracts the username and email fields from the JSON payload. The application queries the faquserlogin table to determine if the username exists and subsequently verifies if the provided email matches the stored record for that user.

If both conditions evaluate to true, the application instantiates a password generation routine. The critical error occurs in the immediate execution of the $user->changePassword($newPassword) function. This function persists the newly generated password to the database synchronously, permanently destroying the user's previous credentials.

Only after the database transaction is finalized does the application attempt to send the new password to the user via the $mail->send() method. The failure to defer the database update until the user proves control of the email address constitutes the core logic flaw.

Code Analysis and Execution Flow

An analysis of the vulnerable source code in phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php demonstrates the immediate credential modification.

#[Route(path: 'user/password/update', name: 'api.private.user.password', methods: ['PUT'])]
public function updatePassword(Request $request): JsonResponse {
    // Extract username and email from JSON body
    $loginExist = $user->getUserByLogin($username);
 
    if ($loginExist && $email === $user->getUserData('email')) {
        $newPassword = $user->createPassword();
        
        // VULNERABILITY: Password changed immediately in the DB
        $user->changePassword($newPassword); 
        
        $mail->send();
        return $this->json(['success' => 'Email has been sent.'], Response::HTTP_OK);
    }
 
    // VULNERABILITY: Observable discrepancy permits enumeration
    return $this->json(['error' => 'Error: Username and email address not found.'], Response::HTTP_CONFLICT);
}

The code block above highlights both the forced reset and the enumeration flaw. The application returns an HTTP 200 OK status for valid inputs and an HTTP 409 Conflict for invalid inputs.

The patch introduced in version 4.1.3 resolves this by overhauling the recovery workflow. Instead of generating a password, the system now generates a temporary validation token, emails the token to the user, and requires a subsequent API call providing the token to authorize the password update. The patch also standardizes the API response to prevent enumeration.

Exploitation Methodology

Exploitation requires zero privileges and minimal network access. An attacker interacts directly with the exposed REST API using standard HTTP client tools.

To execute the forced password reset, the attacker constructs a PUT request containing the targeted user's known username and email address. The payload structure requires a basic JSON body.

PUT /api/index.php/user/password/update HTTP/1.1
Host: target-phpmyfaq-instance.local
Content-Type: application/json
 
{
  "username": "admin",
  "email": "admin@example.com"
}

If the targeted user exists, the server returns an HTTP 200 OK response. At this precise moment, the targeted user's active session remains valid, but their stored password is changed. Once their session expires or they attempt to log in from a new device, they will be denied access until they retrieve the system-generated password from their email inbox.

Attackers utilize the observable discrepancies in the HTTP response codes to conduct user enumeration. By iterating through lists of common usernames and company email structures, an attacker automates requests to the endpoint. An HTTP 409 Conflict confirms the user does not exist, while an HTTP 200 OK confirms a valid target, simultaneously locking that user out of their account.

Impact Assessment

The vulnerability carries a CVSS v3.1 base score of 7.0, reflecting its high impact on system integrity and its fully remote, unauthenticated attack vector. The absence of complex preconditions makes this flaw highly reproducible in default deployments.

The immediate consequence is localized Denial of Service (DoS) through account disruption. Attackers can script continuous requests against targeted administrative accounts, ensuring the database password changes repeatedly. This prevents legitimate administrators from successfully logging in, as the password emailed to them is invalidated by the next automated attack request before it can be used.

The enumeration capability presents significant risks for organizational security posture. Attackers map valid internal identities, facilitating targeted spear-phishing campaigns or brute-force attacks against other enterprise services.

While this vulnerability does not directly expose the new password to the attacker, it severely degrades access controls. If an attacker possesses secondary access to the victim's communication channels, such as a compromised email inbox or the ability to intercept outbound SMTP traffic, this logic flaw escalates immediately to full account takeover.

Detection and Remediation

The primary remediation strategy requires upgrading the phpMyFAQ deployment to version 4.1.3 or later. This version replaces the synchronous password reset with a secure, token-based verification flow and normalizes API responses to mitigate enumeration.

Organizations unable to patch immediately should implement compensating controls at the network perimeter. Web Application Firewalls (WAF) or reverse proxies can be configured to block or rate-limit unauthenticated PUT requests to the /api/index.php/user/password/update endpoint.

Security operations teams should monitor web server access logs and API gateways for suspicious activity patterns. Sequences of HTTP 409 Conflict responses originating from a single IP address, particularly when targeting the password update endpoint, indicate active user enumeration attempts.

Administrators should also audit internal mail server logs. An abnormal spike in password reset notifications originating from the phpMyFAQ application server serves as a high-fidelity indicator that the forced reset vulnerability is being actively exploited.

Official Patches

phpMyFAQOfficial Security Advisory
GitHubphpMyFAQ Source Repository

Technical Appendix

CVSS Score
7.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected Systems

phpMyFAQ REST APIphpMyFAQ Frontend Controller

Affected Versions Detail

Product
Affected Versions
Fixed Version
phpMyFAQ
phpMyFAQ
<= 4.1.24.1.3
AttributeDetail
CVSS Score7.0 (High)
Attack VectorNetwork
Privileges RequiredNone
User InteractionNone
CWE IDCWE-640, CWE-204
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1087.004Account Discovery: Cloud Account
Discovery
T1498.001Network Denial of Service: Direct Network Flood
Impact
CWE-640
Weak Password Recovery Mechanism for Forgotten Password

The application contains a mechanism for users to recover or change their passwords without validating their identity via a secure token or verification step.

Known Exploits & Detection

Context ResearchHTTP PUT request targeting /api/index.php/user/password/update with JSON body containing known username and email.

Vulnerability Timeline

phpMyFAQ 4.1.3 released, addressing the vulnerability.
2026-05-13
Vendor Security Advisory published.
2026-05-14
GHSA-9qv9-8xv6-5p35 published on GitHub.
2026-05-20

References & Sources

  • [1]Official Advisory: phpMyFAQ Security Advisory 2026-05-14
  • [2]GitHub Advisory: GHSA-9qv9-8xv6-5p35
  • [3]OSV Data: GHSA-9qv9-8xv6-5p35

More Reports

•2 days ago•CVE-2026-54269
5.3

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

Alon Barad
Alon Barad
7 views•6 min read
•3 days ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
13 views•6 min read
•4 days ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
26 views•8 min read
•4 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
8 views•5 min read
•4 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
11 views•6 min read
•8 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
26 views•6 min read