GHSA-8c6h-7g6x-m5x4

Source

https://github.com/advisories/GHSA-8c6h-7g6x-m5x4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8c6h-7g6x-m5x4/GHSA-8c6h-7g6x-m5x4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8c6h-7g6x-m5x4

Aliases

CVE-2026-49205

Published

2026-06-23T22:27:34Z

Modified

2026-06-23T22:45:09.632719956Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)

Details

Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermission(PermissionType::BACKUP). The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken() (shared API key) but never call userHasPermission(), allowing any API token holder to perform admin operations regardless of their user permissions.

Summary

CVE-2026-24421 fixed BackupController by adding: $this->userHasPermission(PermissionType::BACKUP);

The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, NOT the individual user's role permissions.

Affected Endpoints

src/phpMyFAQ/Controller/Api/CategoryController.php → create() POST /api/v4.0/category Missing: userHasPermission(PermissionType::CATEGORY_ADD) Any API token holder can create categories regardless of user role.
src/phpMyFAQ/Controller/Api/FaqController.php → create() POST /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_ADD) Any API token holder can create FAQ entries regardless of user role.
src/phpMyFAQ/Controller/Api/FaqController.php → update() PUT /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_EDIT) Any API token holder can update any FAQ entry regardless of user role.
src/phpMyFAQ/Controller/Api/QuestionController.php → create() POST /api/v4.0/question Missing: permission check Any API token holder can create questions regardless of user role.

Root Cause

All 4 methods only call: $this->hasValidToken(); ← shared API key, not per-user

The fixed BackupController correctly calls: $this->userHasPermission(PermissionType::BACKUP);

PermissionType::CATEGORYADD, FAQADD, FAQ_EDIT all exist in src/phpMyFAQ/Enums/PermissionType.php — they just are not being used.

Fix

Add userHasPermission() before the logic in each method:

// CategoryController.create()
$this->userHasPermission(PermissionType::CATEGORY_ADD);

// FaqController.create()
$this->userHasPermission(PermissionType::FAQ_ADD);

// FaqController.update()
$this->userHasPermission(PermissionType::FAQ_EDIT);

Reporter

CONTACT Santhoshini Ganta Github:@santhoshinipayload Email: santhoshinive75@gmail.com LinkedIn: http://linkedin.com/in/santhoshini-g-1440621ba

Database specific

{
    "github_reviewed_at": "2026-06-23T22:27:34Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-862"
    ],
    "nvd_published_at": "2026-06-18T22:16:31Z",
    "github_reviewed": true
}

References

Affected packages

Packagist / thorsten/phpmyfaq

Package

Name: thorsten/phpmyfaq
Purl: pkg:composer/thorsten%2Fphpmyfaq

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.4

Affected versions

2.*

2.8.0-alpha2

2.8.0-alpha3

2.8.0-beta

2.8.0-beta2

2.8.0-beta3

2.8.0-RC

2.8.0-RC2

2.8.0-RC3

2.8.0-RC4

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.16

2.8.17

2.8.18

2.8.19

2.8.20

2.8.21

2.8.22

2.8.23

2.8.24

2.8.25

2.8.26

2.8.27

2.8.28

2.8.29

2.9.0-alpha

2.9.0-alpha2

2.9.0-alpha3

2.9.0-alpha4

2.9.0-beta

2.9.0-beta2

2.9.0-rc

2.9.0-rc2

2.9.0-rc3

2.9.0-rc4

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.10

2.9.11

2.9.12

2.9.13

2.10.0-alpha

3.*

3.0.0-alpha

3.0.0-alpha.2

3.0.0-alpha.3

3.0.0-alpha.4

3.0.0-beta

3.0.0-beta.2

3.0.0-beta.3

3.0.0-RC

3.0.0-RC.2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.1.0-alpha

3.1.0-alpha.2

3.1.0-alpha.3

3.1.0-beta

3.1.0-RC

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.2.0-alpha

3.2.0-beta

3.2.0-beta.2

3.2.0-RC

3.2.0-RC.2

3.2.0-RC.4

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

4.*

4.0.0-alpha

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-beta

4.0.0-beta.2

4.0.0-RC

4.0.0-RC.2

4.0.0-RC.3

4.0.0-RC.4

4.0.0-RC.5

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.18

4.0.19

4.1.0-alpha

4.1.0-alpha.2

4.1.0-alpha.3

4.1.0-beta

4.1.0-beta.2

4.1.0-RC

4.1.0-RC.2

4.1.0-RC.4

4.1.0-RC.5

4.1.0-RC.6

4.1.0-RC.7

4.1.0

4.1.1

4.1.2

4.1.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8c6h-7g6x-m5x4/GHSA-8c6h-7g6x-m5x4.json"

Packagist / phpmyfaq/phpmyfaq