GHSA-8c6h-7g6x-m5x4MediumCVSS 6.5

phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermission(PermissionType::BACKUP). The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken() (shared API key) but never call userHasPermission(), allowing any API token holder to perform admin operations regardless of their user permissions.

Summary

CVE-2026-24421 fixed BackupController by adding: $this->userHasPermission(PermissionType::BACKUP);

The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, NOT the individual user's role permissions.

Affected Endpoints

  1. src/phpMyFAQ/Controller/Api/CategoryController.php → create() POST /api/v4.0/category Missing: userHasPermission(PermissionType::CATEGORY_ADD) Any API token holder can create categories regardless of user role.

  2. src/phpMyFAQ/Controller/Api/FaqController.php → create() POST /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_ADD) Any API token holder can create FAQ entries regardless of user role.

  3. src/phpMyFAQ/Controller/Api/FaqController.php → update() PUT /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_EDIT) Any API token holder can update any FAQ entry regardless of user role.

  4. src/phpMyFAQ/Controller/Api/QuestionController.php → create() POST /api/v4.0/question Missing: permission check Any API token holder can create questions regardless of user role.

Root Cause

All 4 methods only call: $this->hasValidToken(); ← shared API key, not per-user

The fixed BackupController correctly calls: $this->userHasPermission(PermissionType::BACKUP);

PermissionType::CATEGORY_ADD, FAQ_ADD, FAQ_EDIT all exist in src/phpMyFAQ/Enums/PermissionType.php — they just are not being used.

Fix

Add userHasPermission() before the logic in each method:

// CategoryController.create()
$this->userHasPermission(PermissionType::CATEGORY_ADD);

// FaqController.create()
$this->userHasPermission(PermissionType::FAQ_ADD);

// FaqController.update()
$this->userHasPermission(PermissionType::FAQ_EDIT);

Reporter

CONTACT Santhoshini Ganta Github:@santhoshinipayload Email: [email protected] LinkedIn: http://linkedin.com/in/santhoshini-g-1440621ba

🎯 Affected products2

  • composer/thorsten/phpmyfaq:< 4.1.4
  • composer/phpmyfaq/phpmyfaq:< 4.1.4

🔗 References (4)