GHSA-rm98-82fr-mcfx: phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User

May 6, 2026

12 endpoints in ConfigurationTabController.php use userIsAuthenticated() (login-only check) instead of userHasPermission(PermissionType::CONFIGURATION_EDIT). This allows any authenticated user — including ones with zero admin permissions — to enumerate system configuration metadata including the permission model, active template, cache backend, mail provider, and translation provider.

References

github.com/advisories/GHSA-rm98-82fr-mcfx
github.com/thorsten/phpMyFAQ
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-rm98-82fr-mcfx

Code Behaviors & Features

Detect and mitigate GHSA-rm98-82fr-mcfx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →