CVE-2026-27836
Published: 27 February 2026
Summary
CVE-2026-27836 is a high-severity Missing Authorization (CWE-862) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Create Account (T1136); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Deeper analysis
CVE-2026-27836 is a vulnerability in phpMyFAQ, an open source FAQ web application. In versions prior to 4.0.18, the WebAuthn prepare endpoint at `/api/webauthn/prepare` allows the creation of new active user accounts without requiring authentication, CSRF protection, CAPTCHA, or configuration checks. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction or privileges required. By sending requests to the affected endpoint, they can create an unlimited number of active user accounts, even in deployments where user registration is explicitly disabled, potentially leading to account flooding, denial-of-service through resource exhaustion, or use as a foothold for further attacks.
The phpMyFAQ security advisory (GHSA-w22q-m2fm-x9f4) and the fixing commit (f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1) confirm that upgrading to version 4.0.18 resolves the issue by adding the necessary authorization and protection checks to the endpoint. Security practitioners should prioritize patching affected instances and review configurations for exposed WebAuthn endpoints.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9059
Vulnerability details
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts…
more
even when registration is disabled. Version 4.0.18 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public /api/webauthn/prepare endpoint directly enables unauthenticated creation of application user accounts (T1136) and is exploited via a public-facing web application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved access authorizations on the WebAuthn prepare endpoint, preventing unauthenticated attackers from creating active user accounts.
Manages account creation processes to require authentication and respect registration configuration settings, blocking unauthorized account provisioning.
Limits and authorizes actions performable without identification or authentication, ensuring user account creation is not permitted for unauthenticated users.