Cyber Resilience

CVE-2026-27836

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0006 19.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27836 is a high-severity Missing Authorization (CWE-862) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Create Account (T1136); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Deeper analysis

CVE-2026-27836 is a vulnerability in phpMyFAQ, an open source FAQ web application. In versions prior to 4.0.18, the WebAuthn prepare endpoint at `/api/webauthn/prepare` allows the creation of new active user accounts without requiring authentication, CSRF protection, CAPTCHA, or configuration checks. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction or privileges required. By sending requests to the affected endpoint, they can create an unlimited number of active user accounts, even in deployments where user registration is explicitly disabled, potentially leading to account flooding, denial-of-service through resource exhaustion, or use as a foothold for further attacks.

The phpMyFAQ security advisory (GHSA-w22q-m2fm-x9f4) and the fixing commit (f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1) confirm that upgrading to version 4.0.18 resolves the issue by adding the necessary authorization and protection checks to the endpoint. Security practitioners should prioritize patching affected instances and review configurations for exposed WebAuthn endpoints.

EU & UK References

Vulnerability details

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts…

more

even when registration is disabled. Version 4.0.18 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization on public /api/webauthn/prepare endpoint directly enables unauthenticated creation of application user accounts (T1136) and is exploited via a public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24422Same product: Phpmyfaq Phpmyfaq
CVE-2024-56199Same product: Phpmyfaq Phpmyfaq
CVE-2026-34728Same product: Phpmyfaq Phpmyfaq
CVE-2024-12922Shared CWE-862
CVE-2025-27583Shared CWE-862
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862

Affected Assets

phpmyfaq
phpmyfaq
≤ 4.0.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access authorizations on the WebAuthn prepare endpoint, preventing unauthenticated attackers from creating active user accounts.

prevent

Manages account creation processes to require authentication and respect registration configuration settings, blocking unauthorized account provisioning.

prevent

Limits and authorizes actions performable without identification or authentication, ensuring user account creation is not permitted for unauthenticated users.

References