What is GHSA-9r8r-x3vg-6xh4?

GHSA-9r8r-x3vg-6xh4 is a security advisory published by GitHub Security Advisories with Medium severity. phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check

Which CVE IDs does GHSA-9r8r-x3vg-6xh4 cover?

GHSA-9r8r-x3vg-6xh4 covers the following CVE IDs: CVE-2026-45009. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-9r8r-x3vg-6xh4?

GHSA-9r8r-x3vg-6xh4 has a CVSS v3 base score of 4.3, published by GitHub Security Advisories.

Which products are affected by GHSA-9r8r-x3vg-6xh4?

GHSA-9r8r-x3vg-6xh4 affects 2 products, including: composer/phpMyFAQ/phpMyFAQ:\u003c 4.1.2; composer/thorsten/phpMyFAQ:\u003c 4.1.2.

GHSA-9r8r-x3vg-6xh4MediumCVSS 4.3

phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check

Vendor

GitHub Security Advisories

Published

May 15, 2026

Last Modified

May 21, 2026

🔗 CVE IDs covered (1)

CVE-2026-45009 →

📋 Description

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.

🎯 Affected products2

composer/phpMyFAQ/phpMyFAQ:< 4.1.2
composer/thorsten/phpMyFAQ:< 4.1.2

🔗 References (4)

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5
https://nvd.nist.gov/vuln/detail/CVE-2026-45009
https://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-in-admin-api-endpoints
https://github.com/advisories/GHSA-9r8r-x3vg-6xh4