CVE-2026-46359: phpMyFAQ SQL Injection via OAuth Token Claims
The National Vulnerability Database has disclosed CVE-2026-46359, a high-severity SQL injection vulnerability affecting phpMyFAQ installations prior to version 4.1.2. This flaw resides within the CurrentUser::setTokenData function, allowing authenticated attackers to execute arbitrary SQL queries by injecting malicious OAuth token claims.
Attackers can exploit this by crafting Azure AD accounts where display names or JWT claims contain SQL metacharacters. This enables them to break out of string literals within the application’s database interactions, leading to arbitrary database query execution. The CVSS score for this vulnerability is 7.5 (High), indicating significant impact on confidentiality, integrity, and availability.
This isn’t a theoretical issue; it’s a critical bypass for authentication and authorization. Any organization using phpMyFAQ with OAuth integrations, especially those leveraging Azure AD, needs to understand that a compromised or malicious Azure AD account can directly translate into full database compromise. The attacker’s calculus here is clear: leverage a trusted identity provider’s data to gain unauthorized access and control over the target application’s data.
What This Means For You
- If your organization uses phpMyFAQ, immediately check your version. Patch to 4.1.2 or higher without delay. Review your Azure AD configuration for any unusual display names or claims, and monitor logs for suspicious activity related to OAuth token processing in phpMyFAQ. This is a direct path to data exfiltration and system compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-46359: phpMyFAQ SQL Injection via OAuth Token Claims
title: CVE-2026-46359: phpMyFAQ SQL Injection via OAuth Token Claims
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
This rule detects potential SQL injection attempts against phpMyFAQ by looking for requests containing '/phpmyfaq/' in the URI and 'token=' in the query string. This is specific to CVE-2026-46359 where attackers can inject SQL via OAuth token claims.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-46359/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/phpmyfaq/'
cs-uri-query|contains:
- 'token='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-46359 | SQLi | phpMyFAQ |
| CVE-2026-46359 | SQLi | phpMyFAQ before 4.1.2 |
| CVE-2026-46359 | SQLi | CurrentUser::setTokenData function |
| CVE-2026-46359 | SQLi | Injection via malicious OAuth token claims |
| CVE-2026-46359 | SQLi | Azure AD accounts with SQL metacharacters in display names or JWT claims |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...
Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks
CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...