Security Advisory 2026-01-23
Multiple vulnerabilities in phpMyFAQ
- Issued on:
- 2026-01-23
- Software:
- phpMyFAQ <= 4.0.16
- Risk:
- Moderate
- Platforms:
- all
The phpMyFAQ Team has learned of security issues that'd been discovered in phpMyFAQ 4.0.16 and earlier.
Description
A logged‑in user without the permission to download files can download FAQ attachments. This is due to a permissive
permission check in attachment.php that treats the mere presence of a right key as authorization and a flawed group/user
logic expression.
Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup.
The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.
Several public API endpoints return email addresses and non‑public records (e.g., open questions with isVisible=false).
Solution
The phpMyFAQ Team has released the new phpMyFAQ versions 4.0.17 and 4.1.0-RC.3, which fix the vulnerabilities. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 4.0.17 or 4.1.0-RC.3.
Thanks
The phpMyFAQ team would like to thank **Brahim-Fouad Guia** for the responsible disclosures of these vulnerabilities.