Security Advisory 2026-02-27
Unauthenticated account creation vulnerability in phpMyFAQ
- Issued on:
- 2026-02-27
- Software:
- phpMyFAQ <= 4.0.17
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned of security issues that'd been discovered in phpMyFAQ 4.1.0-RC.6, and earlier.
Description
The WebAuthn prepare endpoint (/api/webauthn/prepare) creates new active user accounts without any authentication,
CSRF protection, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even
when registration is disabled.
Solution
The phpMyFAQ Team has released the new phpMyFAQ versions 4.0.18 and 4.1.0-RC.7, which fix the vulnerability. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 4.0.18 or 4.1.0-RC.7.
Thanks
The phpMyFAQ team would like to thank **Offensive-AI** for the responsible disclosures of this vulnerability.