CVE-2026-35671: phpMyFAQ: IDOR Account Takeover

May 20, 2026 (updated May 31, 2026)

An Insecure Direct Object Reference (IDOR) vulnerability in phpMyFAQ’s Admin API allows any authenticated administrator to change the password of any user account, including SuperAdmin accounts (userId=1), without authorization verification. An attacker with a low-privilege admin account can escalate privileges to full SuperAdmin control by simply changing the target user’s ID in the API request body.

References

github.com/advisories/GHSA-xvp4-phqj-cjr3
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-xvp4-phqj-cjr3
nvd.nist.gov/vuln/detail/CVE-2026-35671

Code Behaviors & Features

Detect and mitigate CVE-2026-35671 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →