How is CVE-2026-35676 exploited?

Network reachability (required): The attacker must reach the phpMyFAQ API endpoint over the network; the vulnerable PUT handler is exposed via standard HTTP. Authentication (not-required): No account or credentials are needed; the password update endpoint performs no token validation before accepting changes. Victim interaction (not-required): The attacker sends a direct API request without any need for a user to click a link or take any action. Attack complexity (info): Exploitation is reliable and condition-free once a valid username and email pair is enumerated; no race conditions or special environment factors apply.

What is the impact of CVE-2026-35676?

The attacker overwrites the password of any targeted account, locking the legitimate user out immediately. Invalidated credentials disrupt user sessions and any automated integrations or API tokens tied to the affected account. Account takeover grants the attacker whatever level of access the compromised account held within phpMyFAQ, including access to stored FAQ content and administrative functions if an admin account is targeted.

Back to search

HIGHCVE-2026-35676Published 2026-05-28Modified 2026-05-28CNA VulnCheck

CVE-2026-35676: phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass in phpMyFAQ's user password update API endpoint allows any unauthenticated attacker to reset account passwords without token validation. The vulnerability is reachable over the network and requires no credentials, only a valid username and email pair obtained through enumeration. Successful exploitation lets an attacker lock legitimate users out of their accounts by overwriting their passwords. A patched-image rebuild at version 4.1.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle phpMyFAQ. No manual triage step is needed to trigger initial detection.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at phpMyFAQ 4.1.3 becomes available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes the regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the phpMyFAQ API endpoint over the network; the vulnerable PUT handler is exposed via standard HTTP.
AuthenticationNot required
No account or credentials are needed; the password update endpoint performs no token validation before accepting changes.
Victim interactionNot required
The attacker sends a direct API request without any need for a user to click a link or take any action.
Attack complexityDetail
Exploitation is reliable and condition-free once a valid username and email pair is enumerated; no race conditions or special environment factors apply.

Blast Radius

The attacker overwrites the password of any targeted account, locking the legitimate user out immediately.
Invalidated credentials disrupt user sessions and any automated integrations or API tokens tied to the affected account.
Account takeover grants the attacker whatever level of access the compromised account held within phpMyFAQ, including access to stored FAQ content and administrative functions if an admin account is targeted.

How HarborGuard Handles This

Available on HarborGuard: any image containing phpMyFAQ below 4.1.3 is flagged at CVSS 8.8 HIGH as soon as the CVE enters the feed. A rebuild against the 4.1.3 base becomes available for affected images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Customers who manage remediation manually will see the finding routed to their configured team inbox with full CVSS detail and a direct reference to the fix version, allowing them to act without additional research.

See how HarborGuard automates this

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: 4.1.3
Affected Products: 1

Fix available

4.1.3

Affected packages

thorsten / phpMyFAQ
< 4.1.3 (from 0)
Fixed in 4.1.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available