CVE-2026-27836

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/thorsten/phpMyFAQ/commit/f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1	Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w22q-m2fm-x9f4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-27 20:21

Updated : 2026-03-04 16:08

NVD link : CVE-2026-27836

Mitre link : CVE-2026-27836

CVE.ORG link : CVE-2026-27836

JSON object : View

Products Affected

phpmyfaq

phpmyfaq

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-27836", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-27T20:21:40.330", "references": [{"url": "https://github.com/thorsten/phpMyFAQ/commit/f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w22q-m2fm-x9f4", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue."}, {"lang": "es", "value": "phpMyFAQ es una aplicaci\u00f3n web de preguntas frecuentes de c\u00f3digo abierto. Antes de la versi\u00f3n 4.0.18, el endpoint de preparaci\u00f3n de WebAuthn ('/API/webauthn/prepare') crea nuevas cuentas de usuario activas sin ninguna autenticaci\u00f3n, protecci\u00f3n CSRF, captcha o comprobaciones de configuraci\u00f3n. Esto permite a atacantes no autenticados crear cuentas de usuario ilimitadas incluso cuando el registro est\u00e1 deshabilitado. La versi\u00f3n 4.0.18 corrige el problema."}], "lastModified": "2026-03-04T16:08:53.133", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14734A01-00F7-4499-A5DA-1FA0888B75A8", "versionEndExcluding": "4.0.18"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}