CVE-2026-35676: phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

May 20, 2026 (updated May 28, 2026)

The password reset API can be triggered without authentication and without any out-of-band confirmation step.

If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and only then sends the new password by email.

This creates two issues at the same time:

account enumeration through the response difference between valid and invalid pairs
forced password reset of another user’s account, which invalidates the old password immediately

In my local reproduction, I confirmed both the response difference and the password change itself.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-35676 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →