External risk intelligence

phpMyFAQ bypasses two-factor authentication for admin access

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-45010

phpMyFAQ's admin login can be bypassed by guessing a six-digit code, giving anyone full control of your knowledge base. Update to version 4.1.2 or later immediately.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-45010

phpMyFAQ is a web-based application typically deployed as an internet-facing service. Since the vulnerable administrative endpoint is part of the web application structure, it is commonly reachable from the internet in standard deployments where the knowledge base is hosted for external access.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in phpMyFAQ allows unauthenticated attackers to bypass two-factor authentication. By brute-forcing six-digit TOTP codes, attackers can gain administrative access to the system. This is concerning because it can lead to unauthorized control of your knowledge base.

  • Attackers can gain full administrative access.
  • Bypasses two-factor authentication.
  • Reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by repeatedly POSTing to the `/admin/check` endpoint. They can bypass two-factor authentication by sending sequential six-digit TOTP codes and arbitrary user IDs, gaining full administrative access.

  • No authentication required.
  • Targets admin check endpoint.
  • Brute-forces TOTP codes.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to bypass two-factor authentication and gain full administrative access by brute-forcing TOTP codes. The improper restriction of excessive authentication attempts in the `/admin/check` endpoint is particularly concerning due to the lack of session binding or rate limiting. While the vulnerability has been disclosed, there is no immediate indication of widespread exploitation or public exploits actively circulating, suggesting a potentially lower but still present threat.

  • Exploitation requires targeting a specific endpoint.
  • No public exploit code is available yet.
  • Vulnerability affects administrative access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking direct access to the `/admin/check` endpoint and implementing rate limiting for administrative login attempts. If your phpMyFAQ instance is internet-facing and allows administrative access, consider taking it offline temporarily until a patch can be applied. This vulnerability allows unauthenticated attackers to brute-force two-factor authentication codes, leading to administrative takeover.

  • Apply phpMyFAQ version 4.1.2 or later.
  • Implement firewall rules blocking the admin endpoint.
  • Monitor for unusual POST requests to the admin endpoint.

Frequently asked questions

What is phpMyFAQ and what does it do?

phpMyFAQ is an open-source, database-driven system for managing frequently asked questions. It is used to create public knowledge bases and supports multiple languages, user permissions, and content versioning. It also includes features like a WYSIWYG editor and search capabilities.

What type of vulnerability is CVE-2026-45010?

CVE-2026-45010 is an "improper restriction of excessive authentication attempts" vulnerability, categorized as CWE-307. This means the software does not adequately limit the number of authentication attempts, allowing attackers to bypass security measures.

How can an attacker exploit CVE-2026-45010?

An unauthenticated attacker can exploit this by repeatedly sending POST requests to the `/admin/check` endpoint. This allows them to brute-force a user's six-digit TOTP code, bypassing two-factor authentication and gaining full administrative access.

What is the relevance of CVE-2026-45010 for users?

This vulnerability allows attackers to gain full administrative control over phpMyFAQ instances by bypassing two-factor authentication. This could lead to unauthorized modification of FAQ content, user management, configuration changes, and data access.

What actions should be taken to address CVE-2026-45010?

It is recommended to update phpMyFAQ to version 4.1.2 or later. Additionally, consider implementing network-level restrictions for the `/admin/check` endpoint and rate limiting for administrative login attempts. If the instance is internet-facing, temporary offline measures may be considered until patching is complete.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified