phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
🔗 CVE IDs covered (1)
📋 Description
Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermission(PermissionType::BACKUP). The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken() (shared API key) but never call userHasPermission(), allowing any API token holder to perform admin operations regardless of their user permissions.
Summary
CVE-2026-24421 fixed BackupController by adding: $this->userHasPermission(PermissionType::BACKUP);
The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, NOT the individual user's role permissions.
Affected Endpoints
-
src/phpMyFAQ/Controller/Api/CategoryController.php → create() POST /api/v4.0/category Missing: userHasPermission(PermissionType::CATEGORY_ADD) Any API token holder can create categories regardless of user role.
-
src/phpMyFAQ/Controller/Api/FaqController.php → create() POST /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_ADD) Any API token holder can create FAQ entries regardless of user role.
-
src/phpMyFAQ/Controller/Api/FaqController.php → update() PUT /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_EDIT) Any API token holder can update any FAQ entry regardless of user role.
-
src/phpMyFAQ/Controller/Api/QuestionController.php → create() POST /api/v4.0/question Missing: permission check Any API token holder can create questions regardless of user role.
Root Cause
All 4 methods only call: $this->hasValidToken(); ← shared API key, not per-user
The fixed BackupController correctly calls: $this->userHasPermission(PermissionType::BACKUP);
PermissionType::CATEGORY_ADD, FAQ_ADD, FAQ_EDIT all exist in src/phpMyFAQ/Enums/PermissionType.php — they just are not being used.
Fix
Add userHasPermission() before the logic in each method:
// CategoryController.create()
$this->userHasPermission(PermissionType::CATEGORY_ADD);
// FaqController.create()
$this->userHasPermission(PermissionType::FAQ_ADD);
// FaqController.update()
$this->userHasPermission(PermissionType::FAQ_EDIT);
Reporter
CONTACT Santhoshini Ganta Github:@santhoshinipayload Email: [email protected] LinkedIn: http://linkedin.com/in/santhoshini-g-1440621ba
🎯 Affected products2
- composer/thorsten/phpmyfaq:< 4.1.4
- composer/phpmyfaq/phpmyfaq:< 4.1.4