GHSA-gp95-j463-vv28: phpMyFAQ: Default Empty API Token Authentication Bypass

May 20, 2026

A default empty API client token allows any unauthenticated user to create and modify FAQ entries, categories, and questions via the REST API. The vulnerability exists in all versions since API v4.0 was introduced because the installation process seeds api.apiClientToken with an empty string, and the hasValidToken() comparison logic cannot distinguish between “no token configured” and “attacker sent a matching empty token header.”

References

github.com/advisories/GHSA-gp95-j463-vv28
github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gp95-j463-vv28

Code Behaviors & Features

Detect and mitigate GHSA-gp95-j463-vv28 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →