GHSA-xvp4-phqj-cjr3: phpMyFAQ: IDOR Account Takeover

May 20, 2026

An Insecure Direct Object Reference (IDOR) vulnerability in phpMyFAQ’s Admin API allows any authenticated administrator to change the password of any user account, including SuperAdmin accounts (userId=1), without authorization verification. An attacker with a low-privilege admin account can escalate privileges to full SuperAdmin control by simply changing the target user’s ID in the API request body.

References

github.com/advisories/GHSA-xvp4-phqj-cjr3
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-xvp4-phqj-cjr3

Code Behaviors & Features

Detect and mitigate GHSA-xvp4-phqj-cjr3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →