CVE-2026-27836 HIGH

CVE-2026-27836: phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint

Vendor Thorsten

Product phpMyFAQ

Weakness CWE-862 · Missing authorization

Published February 27, 2026

Last update March 3, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

Description

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue.

Key dates

Disclosure timeline

February 27, 2026 CVE published

March 3, 2026 Record updated