How is CVE-2026-35672 exploited?

Network reachability (required): The attacker must be able to reach the phpMyFAQ API service over the network; no prior foothold on the host is required. Authentication (not-required): No credentials are needed; sending an empty x-pmf-token header bypasses the token validation check entirely. Victim interaction (not-required): The attacker makes direct API requests with no need for a logged-in user to take any action. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors are required to trigger the bypass.

What is the impact of CVE-2026-35672?

Attacker writes arbitrary content into FAQ entries via the /api/v4.0/faq/create endpoint, enabling persistent content injection visible to all site visitors. Attacker creates or modifies categories via /api/v4.0/category, restructuring the FAQ knowledge base without authorization. Attacker submits questions via /api/v4.0/question, potentially poisoning the question queue with malicious or misleading content. Any injected content persists in the database until manually removed, meaning impact extends beyond the initial request.

Back to search

HIGHCVE-2026-35672Published 2026-05-28Modified 2026-05-28CNA VulnCheck

CVE-2026-35672: phpMyFAQ - Authentication Bypass via Empty API Token

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Authentication bypass in phpMyFAQ before version 4.1.3 allows unauthenticated remote attackers to create and modify FAQ entries through the API. The vulnerability exists because the default empty api.apiClientToken value is never validated, so sending a blank x-pmf-token header passes the authentication check. Successful exploitation lets an attacker inject arbitrary content into FAQ entries, categories, and questions without any credentials. A patched-image rebuild at version 4.1.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-35672 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle phpMyFAQ. Both registry scans and in-pipeline image checks are capable of surfacing affected versions below 4.1.3.

Available

Triage

HarborGuard scores this CVE at CVSS v4.0 8.7 (HIGH) and weights it against each environment's compliance policy to prioritize routing. Triage findings are sent to the inbox configured for the relevant team inside each customer organization.

Available

Patch

A patched-image rebuild at phpMyFAQ 4.1.3 is available on HarborGuard for any environment found to be running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the phpMyFAQ API service over the network; no prior foothold on the host is required.
AuthenticationNot required
No credentials are needed; sending an empty x-pmf-token header bypasses the token validation check entirely.
Victim interactionNot required
The attacker makes direct API requests with no need for a logged-in user to take any action.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required to trigger the bypass.

Blast Radius

Attacker writes arbitrary content into FAQ entries via the /api/v4.0/faq/create endpoint, enabling persistent content injection visible to all site visitors.
Attacker creates or modifies categories via /api/v4.0/category, restructuring the FAQ knowledge base without authorization.
Attacker submits questions via /api/v4.0/question, potentially poisoning the question queue with malicious or misleading content.
Any injected content persists in the database until manually removed, meaning impact extends beyond the initial request.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35672 fires automatically when a scan of any customer image returns a phpMyFAQ version below 4.1.3. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version 4.1.3, runs a regression test against the updated image, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before merge, the pull request and full finding detail are routed to the appropriate team inbox for approval. Customers who cannot upgrade immediately should consider restricting network access to the phpMyFAQ API endpoints at the ingress or network-policy layer to reduce exposure until the patched image is deployed.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 4.1.3
Affected Products: 1

Fix available

4.1.3

Affected packages

thorsten / phpMyFAQ
< 4.1.3 (from 0)
Fixed in 4.1.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available