How is CVE-2026-35675 exploited?

Network reachability (required): The attacker must reach the phpMyFAQ application over the network; no local or adjacent access is needed, making any internet-exposed or internally networked instance a viable target. Authentication (not-required): No account or credentials of any kind are needed; the vulnerable endpoint is accessible to completely unauthenticated requests. Victim interaction (not-required): No user action is required; the attacker sends requests directly to the password reset API without involving any victim. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors need to be satisfied.

What is the impact of CVE-2026-35675?

Attacker resets the password of any user account, including administrator accounts, and gains full authenticated access to the phpMyFAQ application. Attacker reads plaintext passwords delivered by the application's own reset email flow, which may be reused across other services if the victim shares credentials. With administrative access, the attacker can read stored FAQ content, user records, and any configuration data held in the application database. An attacker with admin-level access can modify, delete, or inject content across the entire FAQ knowledge base, corrupting or defacing published content.

Back to search

HIGHCVE-2026-35675Published 2026-05-28Modified 2026-05-29CNA VulnCheck

CVE-2026-35675: phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Authentication bypass in phpMyFAQ's password reset endpoint allows unauthenticated remote attackers to reset any user account password without a valid token or email confirmation. The vulnerability is reachable over the network and requires no credentials, meaning any attacker who can reach the application can trigger it. Successful exploitation gives the attacker full control over targeted accounts, including administrator accounts. A patched-image rebuild at version 4.1.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle phpMyFAQ. Any image carrying a phpMyFAQ version below 4.1.3 is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to surface it to the appropriate team inbox. Per-organization routing rules ensure the finding reaches the right owner without manual triage overhead.

Available

Patch

A patched-image rebuild at phpMyFAQ 4.1.3 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the phpMyFAQ application over the network; no local or adjacent access is needed, making any internet-exposed or internally networked instance a viable target.
AuthenticationNot required
No account or credentials of any kind are needed; the vulnerable endpoint is accessible to completely unauthenticated requests.
Victim interactionNot required
No user action is required; the attacker sends requests directly to the password reset API without involving any victim.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors need to be satisfied.

Blast Radius

Attacker resets the password of any user account, including administrator accounts, and gains full authenticated access to the phpMyFAQ application.
Attacker reads plaintext passwords delivered by the application's own reset email flow, which may be reused across other services if the victim shares credentials.
With administrative access, the attacker can read stored FAQ content, user records, and any configuration data held in the application database.
An attacker with admin-level access can modify, delete, or inject content across the entire FAQ knowledge base, corrupting or defacing published content.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all connected registries and pipelines the moment an image carrying phpMyFAQ below 4.1.3 is scanned. Given the HIGH severity and zero-authentication exploit path, this CVE is prioritized at the top of the triage queue under default compliance policies. Where auto-remediation is enabled, HarborGuard rebuilds the image at phpMyFAQ 4.1.3, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with a direct reference to the 4.1.3 fix so engineers can action it manually. Until a rebuild is deployed, consider restricting network access to the phpMyFAQ instance at the ingress or network-policy layer to reduce exposure of the password reset endpoint to untrusted traffic.

See how HarborGuard automates this

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: 4.1.3
Affected Products: 1

Fix available

4.1.3

Affected packages

thorsten / phpMyFAQ
< 4.1.3 (from 0)
Fixed in 4.1.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available