Vulnerabilities ›

CVE-2026-46362

Medium

CWE-863 — Weakness Type

                    Published: May 15, 2026                      ·  Modified: May 18, 2026                      ·  Source: NVD                

CVSS v3

6.5

🔗 NVD Official

📄 Description (English)

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration.

🤖 AI Executive Summary

phpMyFAQ versions before 4.1.2 contain a critical authorization bypass vulnerability in the AbstractAdministrationController that allows authenticated users to access all admin pages despite lacking proper permissions. The vulnerability stems from improper execution termination after sending forbidden responses, enabling attackers to view sensitive admin logs, user data, system information, and application configuration. While no public exploit is available, the vulnerability is easily exploitable and poses significant risk to organizations using phpMyFAQ for knowledge management and FAQ systems.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 16, 2026 07:37

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi government agencies, educational institutions, and large enterprises using phpMyFAQ for internal knowledge management and FAQ systems. Government entities under NCA oversight are particularly at risk, as unauthorized access to admin pages could expose classified information, user databases, and system configurations. Banking and financial institutions using phpMyFAQ for customer support documentation face data exposure risks. Healthcare organizations and ARAMCO subsidiaries using this platform for internal documentation could have sensitive operational information compromised. The vulnerability is especially critical for organizations with multi-user environments where privilege separation is essential for compliance with SAMA CSF and NCA ECC requirements.

🏢 Affected Saudi Sectors

Government Education Healthcare Banking and Financial Services Energy and Utilities Telecommunications Large Enterprises

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism T1110 - Brute Force T1087 - Account Discovery T1526 - Gather Victim Host Information T1526.004 - Gather Victim Host Information: Cloud Instance Metadata T1526.005 - Gather Victim Host Information: Enumerate Cloud Resources T1538 - Steal Cloud Service Account Credentials T1526.001 - Gather Victim Host Information: Credentials

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all phpMyFAQ installations in your environment and document their versions

2. Restrict access to phpMyFAQ admin pages at the network level using WAF rules or firewall policies

3. Implement IP whitelisting for admin panel access

4. Review admin access logs for unauthorized access attempts

5. Audit all user accounts with admin or elevated permissions



PATCHING GUIDANCE:

1. Upgrade phpMyFAQ to version 4.1.2 or later immediately when available

2. If upgrade is not immediately possible, apply the following compensating controls



COMPENSATING CONTROLS (if patch unavailable):

1. Implement Web Application Firewall (WAF) rules to block direct access to admin URLs:

   - Block requests to /admin/* paths from non-admin IP ranges

   - Implement request inspection for admin page access patterns

2. Deploy reverse proxy authentication requiring additional MFA for admin pages

3. Implement network segmentation isolating phpMyFAQ admin interfaces

4. Enable comprehensive logging and monitoring of all admin page access attempts



DETECTION RULES:

1. Monitor for HTTP 403 responses followed by successful page loads from same user session

2. Alert on authenticated users accessing /admin/* paths

3. Track failed authorization attempts followed by successful content retrieval

4. Monitor for unusual admin page access patterns from non-admin user accounts

5. Log all access to sensitive admin pages: user management, logs, configuration pages

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع تثبيتات phpMyFAQ في بيئتك وتوثيق إصداراتها

2. تقييد الوصول إلى صفحات إدارة phpMyFAQ على مستوى الشبكة باستخدام قواعد WAF أو سياسات جدار الحماية

3. تنفيذ القائمة البيضاء للعناوين IP لوصول لوحة الإدارة

4. مراجعة سجلات وصول الإدارة للكشف عن محاولات الوصول غير المصرح بها

5. تدقيق جميع حسابات المستخدمين ذات أذونات الإدارة أو الأذونات المرتفعة

إرشادات التصحيح:

1. ترقية phpMyFAQ إلى الإصدار 4.1.2 أو أحدث فوراً عند توفره

2. إذا لم يكن الترقية ممكنة على الفور، طبق الضوابط التعويضية التالية

الضوابط التعويضية (إذا لم يكن التصحيح متاحاً):

1. تنفيذ قواعد جدار تطبيقات الويب (WAF) لحظر الوصول المباشر إلى عناوين URL الإدارة

2. نشر مصادقة وكيل عكسي تتطلب MFA إضافية لصفحات الإدارة

3. تنفيذ تقسيم الشبكة لعزل واجهات إدارة phpMyFAQ

4. تفعيل السجلات الشاملة ومراقبة جميع محاولات الوصول إلى صفحات الإدارة

قواعد الكشف:

1. مراقبة استجابات HTTP 403 متبوعة بتحميل صفحات ناجحة من نفس جلسة المستخدم

2. تنبيه المستخدمين المصرح لهم بالوصول إلى مسارات /admin/*

3. تتبع محاولات الفشل في التفويض متبوعة باسترجاع محتوى ناجح

4. مراقبة أنماط الوصول غير العادية إلى صفحات الإدارة من حسابات المستخدمين غير الإداريين

5. تسجيل جميع الوصول إلى صفحات الإدارة الحساسة: إدارة المستخدمين والسجلات وصفحات التكوين

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Access Control Policy A.5.2.1 - User Registration and De-registration A.5.2.2 - User Access Provisioning A.5.2.3 - Management of Privileged Access Rights A.5.3.1 - Management of Secret Authentication Information A.8.1.1 - Information Security Event Logging A.8.1.2 - Protection of Log Information

🔵 SAMA CSF

ID.AC-1 - Access Control Policy and Procedures ID.AC-2 - Physical and Logical Access Controls PR.AC-1 - Identities and Credentials are Managed PR.AC-3 - Access Restrictions for Change DE.AE-1 - A baseline of network operations is established DE.CM-1 - The network is monitored to detect potential cybersecurity events

🟡 ISO 27001:2022

5.15 - Access Control 5.16 - Identification and Authentication 5.17 - Access Rights 5.18 - Information Security in Supplier Relationships 8.1 - Information Security Monitoring 8.2 - Information Security Event Evaluation 8.3 - Response to Information Security Incidents

🔗 References & Sources 2

🔗

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-hpgw-ww76-c68r

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/phpmyfaq-authorization-bypass-in-admin-pages-via-n...

disclosure@vulncheck.com

📊 CVSS Score

6.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.5

CWECWE-863

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-05-15

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-863

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-46362

Introduce Yourself

Sign In Required