CVE-2026-27836
Published: 27 February 2026
Summary
CVE-2026-27836 is a high-severity Missing Authorization (CWE-862) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Create Account (T1136); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public /api/webauthn/prepare endpoint directly enables unauthenticated creation of application user accounts (T1136) and is exploited via a public-facing web application (T1190).
NVD Description
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts…
more
even when registration is disabled. Version 4.0.18 fixes the issue.
Deeper analysisAI
CVE-2026-27836 is a vulnerability in phpMyFAQ, an open source FAQ web application. In versions prior to 4.0.18, the WebAuthn prepare endpoint at `/api/webauthn/prepare` allows the creation of new active user accounts without requiring authentication, CSRF protection, CAPTCHA, or configuration checks. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction or privileges required. By sending requests to the affected endpoint, they can create an unlimited number of active user accounts, even in deployments where user registration is explicitly disabled, potentially leading to account flooding, denial-of-service through resource exhaustion, or use as a foothold for further attacks.
The phpMyFAQ security advisory (GHSA-w22q-m2fm-x9f4) and the fixing commit (f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1) confirm that upgrading to version 4.0.18 resolves the issue by adding the necessary authorization and protection checks to the endpoint. Security practitioners should prioritize patching affected instances and review configurations for exposed WebAuthn endpoints.
Details
- CWE(s)