CVE-2026-35672— phpMyFAQ - Authentication Bypass via Empty API Token

CVSS 7.5 · High EPSS 0.08% · P24 Updated May 29, 2026

Possible ATT&CK Techniques 2AI

T1136 · Create Account T1190 · Exploit Public-Facing Application

Affected Version Matrix 2

Vendor	Product	Version Range	Status
thorsten	phpMyFAQ	`< 4.1.3`	affected
		`4.1.3`	unaffected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-35672

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

phpMyFAQ - Authentication Bypass via Empty API Token

Source: NVD (National Vulnerability Database)

Vulnerability Description

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

不安全的默认资源初始化

Source: NVD (National Vulnerability Database)

Vulnerability Title

phpMyFAQ 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

phpMyFAQ是Thorsten Rinne个人开发者的一个多语言、完全由数据库驱动的常见问题解答系统。 phpMyFAQ 4.1.3之前版本存在安全漏洞，该漏洞源于API v4.0中默认空的api.apiClientToken允许未经验证用户创建和修改FAQ条目，攻击者可通过发送空的x-pmf-token标头绕过令牌验证，通过POST端点注入恶意内容。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
thorsten	phpMyFAQ	0 ~ 4.1.3	-

II. Public POCs for CVE-2026-35672

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-35672

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-35672 (2)

🔗 Security Advisory Submission: Default Empty API Token Authentication Bypass · Advisory · thorsten/phpMyFAQ · GitHub Read full article third-party-advisory
🔗 phpMyFAQ - Authentication Bypass via Empty API Token | Advisories | VulnCheck Read full article third-party-advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-35672

Same Patch Batch · thorsten · 2026-05-28 · 4 CVEs total

CVE-2026-35671	8.8 HIGH	phpMyFAQ - Insecure Direct Object Reference in User Password API
CVE-2026-35675	8.2 HIGH	phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/up
CVE-2026-35676	8.2 HIGH	phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint

IV. Related Vulnerabilities

Same product: phpMyFAQ

Same vendor: thorsten

Same weakness: CWE-1188

V. Comments for CVE-2026-35672

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-35672— phpMyFAQ - Authentication Bypass via Empty API Token

Possible ATT&CK Techniques 2AI

Affected Version Matrix 2

I. Basic Information for CVE-2026-35672

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-35672

III. Intelligence Information for CVE-2026-35672

Vendor Advisories for CVE-2026-35672 (2)

Same Patch Batch · thorsten · 2026-05-28 · 4 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-35672

Leave a comment