How is CVE-2026-35671 exploited?

Network reachability (required): The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the service remotely. Authentication (required): A low-privilege admin account is sufficient; no elevated or administrative privileges beyond basic admin access are needed to trigger the vulnerability. Victim interaction (not-required): The attacker sends a crafted API request directly; no action from another user or victim is needed. Attack complexity (info): Exploitation is straightforward and condition-free; the attacker only needs to manipulate the userId parameter in the overwrite-password API request with no race conditions or environmental dependencies.

What is the impact of CVE-2026-35671?

Attacker overwrites the SuperAdmin account password, gaining full administrative control of the phpMyFAQ application. Attacker can read, modify, or delete any FAQ content, user data, and application configuration stored in the system. All other user accounts become vulnerable to password reset, allowing the attacker to impersonate or lock out any user. Full compromise of the phpMyFAQ instance can serve as a pivot point to any backend systems or databases the application connects to.

Back to search

HIGHCVE-2026-35671Published 2026-05-28Modified 2026-05-30CNA VulnCheck

CVE-2026-35671: phpMyFAQ - Insecure Direct Object Reference in User Password API

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An insecure direct object reference (IDOR) vulnerability exists in the admin API password endpoint of phpMyFAQ before version 4.1.3. The flaw is reachable over the network by any authenticated low-privilege admin account, requiring no additional interaction from a victim. Successful exploitation lets an attacker overwrite any user's password, including the SuperAdmin account, giving full control over the application. A patched-image rebuild at version 4.1.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-35671 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle phpMyFAQ. Coverage applies to images in both connected registries and active CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.7 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox inside each customer org is available as part of the standard pipeline flow.

Available

Patch

A patched-image rebuild at phpMyFAQ 4.1.3 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the service remotely.
AuthenticationRequired
A low-privilege admin account is sufficient; no elevated or administrative privileges beyond basic admin access are needed to trigger the vulnerability.
Victim interactionNot required
The attacker sends a crafted API request directly; no action from another user or victim is needed.
Attack complexityDetail
Exploitation is straightforward and condition-free; the attacker only needs to manipulate the userId parameter in the overwrite-password API request with no race conditions or environmental dependencies.

Blast Radius

Attacker overwrites the SuperAdmin account password, gaining full administrative control of the phpMyFAQ application.
Attacker can read, modify, or delete any FAQ content, user data, and application configuration stored in the system.
All other user accounts become vulnerable to password reset, allowing the attacker to impersonate or lock out any user.
Full compromise of the phpMyFAQ instance can serve as a pivot point to any backend systems or databases the application connects to.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35671 is active for any image containing phpMyFAQ below version 4.1.3, with ingestion typically completing within minutes of advisory publication. A patched rebuild at version 4.1.3 is available for affected environments. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute regression tests, and open a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a detailed finding report are queued for reviewer action. Given the low barrier to exploitation (any admin-level credential is sufficient), prioritizing this update is strongly advised for any environment running phpMyFAQ in a multi-user or internet-accessible configuration.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 4.1.3
Affected Products: 1

Fix available

4.1.3

Affected packages

thorsten / phpMyFAQ
< 4.1.3 (from 0)
Fixed in 4.1.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available