GHSA-8c6h-7g6x-m5x4
phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)
Details
Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermission(PermissionType::BACKUP). The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken() (shared API key) but never call userHasPermission(), allowing any API token holder to perform admin operations regardless of their user permissions.
## Summary
CVE-2026-24421 fixed BackupController by adding: $this->userHasPermission(PermissionType::BACKUP);
The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, NOT the individual user's role permissions.
## Affected Endpoints
1. src/phpMyFAQ/Controller/Api/CategoryController.php → create() POST /api/v4.0/category Missing: userHasPermission(PermissionType::CATEGORY_ADD) Any API token holder can create categories regardless of user role.
2. src/phpMyFAQ/Controller/Api/FaqController.php → create() POST /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_ADD) Any API token holder can create FAQ entries regardless of user role.
3. src/phpMyFAQ/Controller/Api/FaqController.php → update() PUT /api/v4.0/faq Missing: userHasPermission(PermissionType::FAQ_EDIT) Any API token holder can update any FAQ entry regardless of user role.
4. src/phpMyFAQ/Controller/Api/QuestionController.php → create() POST /api/v4.0/question Missing: permission check Any API token holder can create questions regardless of user role.
## Root Cause
All 4 methods only call: $this->hasValidToken(); ← shared API key, not per-user
The fixed BackupController correctly calls: $this->userHasPermission(PermissionType::BACKUP);
PermissionType::CATEGORY_ADD, FAQ_ADD, FAQ_EDIT all exist in src/phpMyFAQ/Enums/PermissionType.php — they just are not being used.
## Fix
Add userHasPermission() before the logic in each method:
// CategoryController.create() $this->userHasPermission(PermissionType::CATEGORY_ADD);
// FaqController.create() $this->userHasPermission(PermissionType::FAQ_ADD);
// FaqController.update() $this->userHasPermission(PermissionType::FAQ_EDIT);
## Reporter
CONTACT Santhoshini Ganta Github:@santhoshinipayload Email: santhoshinive75@gmail.com LinkedIn: http://linkedin.com/in/santhoshini-g-1440621ba
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 4.1.4 composer require thorsten/phpmyfaq:^4.1.4 0 Fixed in: 4.1.4 composer require phpmyfaq/phpmyfaq:^4.1.4