CVE-2026-35676 is a high-severity security vulnerability in thorsten/phpmyfaq (composer), affecting versions < 4.1.3. It is fixed in 4.1.3.
Summary The password reset API can be triggered without authentication and without any out-of-band confirmation step. If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and only then sends the new password by email. This creates two issues at the same time: account enumeration through the response difference between valid and invalid pairs forced password reset of another user's account, which invalidates the old password immediately In my local reproduction, I confirmed both the response difference and the password change itself. Details The relevant code is in phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php. The route is exposed without authentication: The flow is straightforward: The core issue is that the password is changed immediately after a simple username and email match. There is no reset token, no confirmation link, no second step, and no requirement that the caller prove control of the mailbox before the password is replaced. That means the endpoint is not just a "forgot password email sender". It is an actual unauthenticated password change trigger. PoC This was reproduced against a local Docker deployment of the project. For a valid username and email pair: Response: For an invalid pair: Response: That already confirms enumeration. To verify that the password really changes, created a test account: username: user2 password: Oldpass123! email: [email protected] Before calling the endpoint, the password hash stored in faquserlogin was: Then send: The response was: After that, the stored hash changed to: Then try to log in with the old password: The application redirected back to the login page and reported that the password was incorrect. So this is not just a cosmetic issue in the API response. The old credential really becomes invalid. Impact The most realistic impact here is forced password reset and account disruption. An attacker who knows or can guess a valid username and email pair can: confirm whether the pair is valid force the target account's password to change cause the victim's old password to stop working immediately If the attacker does not control the victim's mailbox, this is usually a denial-of-service style account disruption rather than instant account takeover. That is the main reason I would keep the severity at Medium. Even so, this is still a real security issue. Password recovery should not allow an unauthenticated caller to change the account password directly. Remediation Recommend to change the password recovery flow to a token-based design. Do not change the password inside the unauthenticated endpoint. Generate a short-lived, single-use reset token and send only the reset link by email. Return the same generic response for both valid and invalid username/email pairs. Keep rate limiting in place, but do not rely on it as the main protection. Add regression tests that verify the password hash does not change until a valid reset token is presented.
CVE-2026-35676 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (4.1.3). Upgrading removes the vulnerable code path.
composer
thorsten/phpmyfaq (< 4.1.3)phpmyfaq/phpmyfaq (< 4.1.3)thorsten/phpmyfaq → 4.1.3 (composer)phpmyfaq/phpmyfaq → 4.1.3 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-35676 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-35676 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-35676 in your environment →Upgrade the following packages to resolve this vulnerability:
thorsten/phpmyfaq to 4.1.3 or laterphpmyfaq/phpmyfaq to 4.1.3 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-35676 is a high-severity security vulnerability in thorsten/phpmyfaq (composer), affecting versions < 4.1.3. It is fixed in 4.1.3.
CVE-2026-35676 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
thorsten/phpmyfaq (composer) (versions < 4.1.3)phpmyfaq/phpmyfaq (composer) (versions < 4.1.3)Yes. CVE-2026-35676 is fixed in 4.1.3. Upgrade to this version or later.
Whether CVE-2026-35676 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
thorsten/phpmyfaq to 4.1.3 or laterphpmyfaq/phpmyfaq to 4.1.3 or later