GHSA-rm98-82fr-mcfx: phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User

May 6, 2026 (updated June 9, 2026)

12 endpoints in ConfigurationTabController.php use userIsAuthenticated() (login-only check) instead of userHasPermission(PermissionType::CONFIGURATION_EDIT). This allows any authenticated user — including ones with zero admin permissions — to enumerate system configuration metadata including the permission model, active template, cache backend, mail provider, and translation provider.

References

github.com/advisories/GHSA-rm98-82fr-mcfx
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-rm98-82fr-mcfx
nvd.nist.gov/vuln/detail/CVE-2026-45007
www.vulncheck.com/advisories/phpmyfaq-missing-permission-check-on-12-configuration-api-endpoints-allows-information-disclosure

Code Behaviors & Features

Detect and mitigate GHSA-rm98-82fr-mcfx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →