CVE-2026-45007

CVE-2026-45007 is a medium-severity missing authorization vulnerability in thorsten/phpmyfaq (composer), affecting versions <= 4.1.1. It is fixed in 4.1.2.

Summary

12 endpoints in ConfigurationTabController.php use userIsAuthenticated() (login-only check) instead of userHasPermission(PermissionType::CONFIGURATION_EDIT). This allows any authenticated user, including ones with zero admin permissions, to enumerate system configuration metadata including the permission model, active template, cache backend, mail provider, and translation provider.

Details

The ConfigurationTabController contains 15 public endpoints. Three of them (list, save, uploadTheme) correctly enforce CONFIGURATION_EDIT permission:

// phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php:63
public function list(Request $request): Response
{
    $this->userHasPermission(PermissionType::CONFIGURATION_EDIT); // ✅ Correct
    // ...
}

The remaining 12 only check that the user is logged in:

// phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php:353
public function translations(): Response
{
    $this->userIsAuthenticated(); // ❌ Missing permission check
    // ...
}

The difference between these two methods is significant:

// AbstractController.php:258, login-only
protected function userIsAuthenticated(): void
{
    if (!$this->currentUser->isLoggedIn()) {
        throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');
    }
}

// AbstractController.php:317, login + permission check
protected function userHasPermission(PermissionType $permissionType): void
{
    if (!$this->currentUser->isLoggedIn()) {
        throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');
    }
    $currentUser = $this->currentUser;
    if (!$currentUser?->perm->hasPermission($currentUser->getUserId(), $permissionType->value)) {
        throw new ForbiddenException(/* ... */);
    }
}

There is no middleware or router-level authorization, the Kernel (Kernel.php) dispatches directly to controllers with only Language, Router, and Exception listeners. All authorization is at the controller method level.

The 12 affected endpoints (all GET, all under /admin/api/):

# Method Route Info Exposed
1 translations() /configuration/translations Available languages + current language
2 templates() /configuration/templates Available themes + active theme
3 faqsSortingKey() /configuration/faqs-sorting-key/{current} FAQ sorting key options
4 faqsSortingOrder() /configuration/faqs-sorting-order/{current} FAQ sorting order
5 faqsSortingPopular() /configuration/faqs-sorting-popular/{current} Popular FAQ sorting
6 permLevel() /configuration/perm-level/{current} Permission model (basic/medium)
7 releaseEnvironment() /configuration/release-environment/{current} Dev/production environment
8 searchRelevance() /configuration/search-relevance/{current} Search relevance config
9 seoMetaTags() /configuration/seo-metatags/{current} SEO meta tag config
10 translationProvider() /configuration/translation-provider/{current} Translation service (DeepL, etc.)
11 mailProvider() /configuration/mail-provider/{current} Mail provider (SMTP, etc.)
12 cacheAdapter() /configuration/cache-adapter/{current} Cache backend (filesystem/redis/memcached)

The translations() and templates() endpoints directly read from config/filesystem and expose current settings. The {current} endpoints render HTML <option> dropdowns where the caller-supplied value gets the selected attribute, an attacker can enumerate possible values to discover the current configuration.

PoC

# Step 1: Authenticate as any user (even one with no admin permissions)
# and obtain the session cookie (pmf_auth_XXXX)

# Step 2: Query configuration endpoints that should require CONFIGURATION_EDIT permission

# Enumerate available languages and current language setting
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/translations

# Enumerate available templates and which is active
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/templates

# Discover permission model by trying known values
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/perm-level/basic

# Discover release environment
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/release-environment/development

# Discover cache backend
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/cache-adapter/filesystem

# Discover mail provider
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/mail-provider/smtp

# Discover translation provider
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/translation-provider/deepl

Expected: HTTP 403 Forbidden for a user without configuration_edit permission.
Actual: HTTP 200 with configuration data in HTML option format.

Impact

Any authenticated user (e.g., a regular FAQ contributor or a user with minimal permissions) can enumerate:

  • The instance's permission model (basic vs. medium), reveals access control architecture
  • Whether the instance runs in development or production mode, development mode may expose debug info
  • The cache backend (filesystem/redis/memcached), useful for targeting cache-specific attacks
  • The mail provider configuration, reveals infrastructure details
  • Available and active templates/themes, aids in targeting template-specific vulnerabilities
  • Translation provider (e.g., DeepL), reveals third-party service integrations

While no credentials or secrets are directly exposed, this configuration metadata aids targeted follow-up attacks and violates the principle of least privilege, these endpoints exist to serve the admin configuration UI and should require the same CONFIGURATION_EDIT permission as the list and save endpoints.

The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.

CVE-2026-45007 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.1.2); upgrading removes the vulnerable code path.

Affected versions

thorsten/phpmyfaq (<= 4.1.1) phpmyfaq/phpmyfaq (<= 4.1.1)

Security releases

thorsten/phpmyfaq → 4.1.2 (composer) phpmyfaq/phpmyfaq → 4.1.2 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Replace $this->userIsAuthenticated() with $this->userHasPermission(PermissionType::CONFIGURATION_EDIT) in all 12 affected methods:

// In ConfigurationTabController.php, apply to all 12 methods
// Before (line 355, and equivalent in all others):
$this->userIsAuthenticated();

// After:
$this->userHasPermission(PermissionType::CONFIGURATION_EDIT);

Affected methods: translations(), templates(), faqsSortingKey(), faqsSortingOrder(), faqsSortingPopular(), permLevel(), releaseEnvironment(), searchRelevance(), seoMetaTags(), translationProvider(), mailProvider(), cacheAdapter().

Frequently Asked Questions

  1. What is CVE-2026-45007? CVE-2026-45007 is a medium-severity missing authorization vulnerability in thorsten/phpmyfaq (composer), affecting versions <= 4.1.1. It is fixed in 4.1.2. The application does not perform an authorization check before performing a sensitive operation.
  2. How severe is CVE-2026-45007? CVE-2026-45007 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-45007?
    • thorsten/phpmyfaq (composer) (versions <= 4.1.1)
    • phpmyfaq/phpmyfaq (composer) (versions <= 4.1.1)
  4. Is there a fix for CVE-2026-45007? Yes. CVE-2026-45007 is fixed in 4.1.2. Upgrade to this version or later.
  5. Is CVE-2026-45007 exploitable, and should I be worried? Whether CVE-2026-45007 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-45007 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-45007?
    • Upgrade thorsten/phpmyfaq to 4.1.2 or later
    • Upgrade phpmyfaq/phpmyfaq to 4.1.2 or later

Other vulnerabilities in thorsten/phpmyfaq

CVE-2026-49205CVE-2026-48488CVE-2026-35675CVE-2026-35672CVE-2026-35671

Stop the waste.
Protect your environment with Kodem.