CVE-2026-45010: phpMyFAQ 2FA Bypass Grants Admin Access
The National Vulnerability Database has disclosed CVE-2026-45010, a critical vulnerability in phpMyFAQ versions prior to 4.1.2. This flaw, rated 9.1 CVSS (CRITICAL), stems from an improper restriction of excessive authentication attempts within the /admin/check endpoint.
Specifically, the endpoint accepts arbitrary user-id parameters without any session binding or rate limiting. This oversight allows unauthenticated attackers to brute-force six-digit Time-based One-Time Password (TOTP) codes. By submitting POST requests with sequential token values, attackers can bypass two-factor authentication entirely, achieving full administrative access to affected phpMyFAQ instances.
This isn’t just a theoretical bypass; it’s a direct path to administrative control. The lack of basic rate limiting on a critical authentication mechanism is a design failure. Defenders need to recognize that even with 2FA enabled, if the underlying implementation is flawed, it offers a false sense of security. Attackers will always target the weakest link, and in this case, it’s the server-side validation of TOTP attempts.
What This Means For You
- If your organization uses phpMyFAQ, you need to immediately verify your version. Patch to 4.1.2 or higher without delay. This isn't a 'monitor for exploitation' situation; it's a 'patch now or face full administrative compromise' situation. Audit your phpMyFAQ logs for any unusual or excessive authentication attempts, especially against the `/admin/check` endpoint, as this vulnerability provides unauthenticated admin access.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-45010: phpMyFAQ Admin 2FA Bypass via Brute-Force
title: CVE-2026-45010: phpMyFAQ Admin 2FA Bypass via Brute-Force
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-45010 by targeting the '/admin/check' endpoint via POST requests. This bypasses two-factor authentication in phpMyFAQ versions prior to 4.1.2 by allowing brute-force of TOTP codes without session binding or rate limiting, granting administrative access.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-45010/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/admin/check'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-45010 | Auth Bypass | phpMyFAQ before 4.1.2 |
| CVE-2026-45010 | Auth Bypass | Vulnerable endpoint: /admin/check |
| CVE-2026-45010 | Auth Bypass | Brute-force six-digit TOTP codes |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...
Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks
CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...