Improper Authorization in phpMyFAQ 4.0.16 (CVE‑2026‑24421) Allows Non‑Admin Users to Export Configuration Backups
What Happened – A missing authorization check in SetupController.php of phpMyFAQ ≤ 4.0.16 lets any authenticated, non‑admin user invoke the /api/setup/backup endpoint and receive a path to a ZIP file containing a full configuration backup.
Why It Matters for TPRM –
- Unauthorized backup files may contain database credentials, API keys, and internal network topology.
- Exposure of these artifacts can enable lateral movement against downstream vendors or cloud services.
- The flaw is exploitable with a valid user account, making it a realistic threat for organizations that host phpMyFAQ as a SaaS or on‑premise knowledge‑base solution.
Who Is Affected –
- Organizations running phpMyFAQ ≤ 4.0.16 (education portals, intranets, public‑facing FAQ sites).
- Vendors that embed phpMyFAQ as a component of larger SaaS offerings.
Recommended Actions –
- Verify phpMyFAQ version; upgrade to 4.0.17 or later where the authorization check is fixed.
- If immediate upgrade is not possible, restrict API access to trusted IP ranges and enforce least‑privilege roles.
- Review web server configuration to ensure generated backup ZIP files are not publicly reachable.
- Conduct a credential audit for any secrets stored in the phpMyFAQ configuration.
Technical Notes – The vulnerability (CVE‑2026‑24421) is an Improper Authorization flaw. The endpoint authenticates the request (userIsAuthenticated()) but fails to verify admin or configuration permissions, allowing a privilege‑escalation via API. Exploitation requires a valid, non‑admin credential; no CVSS score is published yet, but the impact is considered moderate due to potential secret leakage. Source: Exploit‑DB 52523