phpMyFAQ Unauthenticated Password Reset Vulnerability (CVE-2026-35676)
phpMyFAQ before 4.1.3 is vulnerable to an unauthenticated password reset, allowing attackers to change account passwords without token validation by sending crafted PUT requests to the /api/index.php/user/password/update endpoint.
phpMyFAQ before version 4.1.3 is susceptible to an unauthenticated password reset vulnerability (CVE-2026-35676). This flaw resides in the user password update API endpoint, specifically within the /api/index.php/user/password/update path. Attackers can exploit this vulnerability by sending crafted PUT requests to the vulnerable endpoint, bypassing token validation. Successful exploitation allows threat actors to change the passwords of existing accounts, leading to account disruption, denial of service, and potential unauthorized access. This vulnerability can be exploited without authentication, making it critical for defenders to address.
Attack Chain
- Attacker identifies a phpMyFAQ instance running a version prior to 4.1.3.
- Attacker enumerates valid usernames and associated email addresses.
- Attacker crafts a PUT request targeting the
/api/index.php/user/password/updateendpoint. The request body contains the target username, email address, and the attacker's desired new password. - Attacker sends the crafted PUT request to the vulnerable endpoint.
- The phpMyFAQ application, lacking proper token validation, updates the user's password to the attacker-specified value.
- The legitimate user's password is now changed without their consent or knowledge.
- Attacker uses the new password to log into the compromised account.
- Attacker gains unauthorized access to the user's account and any associated sensitive data.
Impact
Successful exploitation of this vulnerability allows attackers to take complete control of user accounts in affected phpMyFAQ installations. This can lead to data breaches, denial of service, or further malicious activities within the application. Given the ease of exploitation and lack of authentication required, this vulnerability poses a significant risk to organizations utilizing vulnerable phpMyFAQ versions. There is no specified victim count for this CVE.
Recommendation
- Upgrade phpMyFAQ to version 4.1.3 or later to patch CVE-2026-35676.
- Deploy the Sigma rule
Detect phpMyFAQ Password Reset Attemptto your SIEM to identify exploitation attempts targeting the/api/index.php/user/password/updateendpoint. - Monitor web server logs for unusual PUT requests to the
/api/index.php/user/password/updateendpoint, as this is the primary attack vector. - Implement rate limiting on the password reset endpoint to mitigate brute-force enumeration attempts.
Detection coverage 2
Detect phpMyFAQ Password Reset Attempt
highDetects CVE-2026-35676 exploitation - an unauthenticated password reset attempt in phpMyFAQ via PUT requests to /api/index.php/user/password/update.
Detect phpMyFAQ Password Reset from Uncommon Source IP
mediumDetects CVE-2026-35676 exploitation - an unauthenticated password reset attempt in phpMyFAQ via PUT requests to /api/index.php/user/password/update from uncommon source IPs
Detection queries are available on the platform. Get full rules →