GHSA-7p9h-m7m8-vhhv

Source

https://github.com/advisories/GHSA-7p9h-m7m8-vhhv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7p9h-m7m8-vhhv/GHSA-7p9h-m7m8-vhhv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7p9h-m7m8-vhhv

Aliases

CVE-2026-24420

Published

2026-01-23T20:17:16Z

Modified

2026-02-03T03:07:04.374633Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

Details

Summary

A logged‑in user without the dlattachment right can download FAQ attachments. This is due to a permissive permission check in attachment.php that treats the mere presence of a right key as authorization and a flawed group/user logic expression.

Details

In attachment.php, the access decision uses: ($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment']) isset() returns true even when the right value is false, and the logic simplifies to $groupPermission for some permission modes. As a result, a user without dlattachment can still access the attachment.

PoC

Precondition: A non‑admin user exists; an attachment is associated to a FAQ record; records.allowDownloadsForGuests = false. Log in as a non‑admin user without dlattachment. Request the attachment download endpoint.

curl -c /tmp/pmf_api_cookies.txt \
  -H 'Content-Type: application/json' \
  -d '{"username":"tester","password":"Test1234!"}' \
  http://192.168.40.16/phpmyfaq/api/v3.0/login

curl -i -b /tmp/pmf_api_cookies.txt \
  "http://192.168.40.16/phpmyfaq/index.php?action=attachment&id=1"

Impact

Unauthorized users can download attachments (confidentiality breach). Depending on content, this may expose sensitive documents.

Database specific

{
    "github_reviewed_at": "2026-01-23T20:17:16Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2026-01-24T03:16:00Z",
    "cwe_ids": [
        "CWE-284"
    ]
}

References

Affected packages

Packagist / phpmyfaq/phpmyfaq

Package

Name: phpmyfaq/phpmyfaq
Purl: pkg:composer/phpmyfaq/phpmyfaq

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.17

Affected versions

2.*

2.8.0-alpha2

2.8.0-alpha3

2.8.0-beta

2.8.0-beta2

2.8.0-beta3

2.8.0-RC

2.8.0-RC2

2.8.0-RC3

2.8.0-RC4

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.16

2.8.17

2.8.18

2.8.19

2.8.20

2.8.21

2.8.22

2.8.23

2.8.24

2.8.25

2.8.26

2.8.27

2.8.28

2.8.29

2.9.0-alpha

2.9.0-alpha2

2.9.0-alpha3

2.9.0-alpha4

2.9.0-beta

2.9.0-beta2

2.9.0-rc

2.9.0-rc2

2.9.0-rc3

2.9.0-rc4

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.10

2.9.11

2.9.12

2.9.13

2.10.0-alpha

3.*

3.0.0-alpha

3.0.0-alpha.2

3.0.0-alpha.3

3.0.0-alpha.4

3.0.0-beta

3.0.0-beta.2

3.0.0-beta.3

3.0.0-RC

3.0.0-RC.2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.1.0-alpha

3.1.0-alpha.2

3.1.0-alpha.3

3.1.0-beta

3.1.0-RC

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.2.0-alpha

3.2.0-beta

3.2.0-beta.2

3.2.0-RC

3.2.0-RC.2

3.2.0-RC.4

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

4.*

4.0.0-alpha

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-beta

4.0.0-beta.2

4.0.0-RC

4.0.0-RC.2

4.0.0-RC.3

4.0.0-RC.4

4.0.0-RC.5

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

Database specific

last_known_affected_version_range

"<= 4.0.16"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7p9h-m7m8-vhhv/GHSA-7p9h-m7m8-vhhv.json"

Packagist / thorsten/phpmyfaq