Tools: CVE-2026-24420: CVE-2026-24420: When `isset()` Becomes a Backdoor in phpMyFAQ

CVE-2026-24420: When isset() Becomes a Backdoor in phpMyFAQ ## ⚠️ Exploit Status: POC ## Technical Details ## Affected Systems ## Code Analysis ## Commit: b2e4f6a ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: CVE-2026-24420 CVSS Score: 6.5 Published: 2026-01-23 A logic flaw in phpMyFAQ's permission system allows authenticated users to download attachments they explicitly shouldn't have access to, thanks to a misuse of PHP's isset() function and flawed boolean algebra. phpMyFAQ v3.2.x and early 4.x contains a Broken Access Control vulnerability. The application checks if a permission key exists rather than if it is true, and prioritizes group permissions over user restrictions. This allows any authenticated user to download restricted attachments. Fix permission check in attachment.php Read the full report for CVE-2026-24420 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse CODE_BLOCK: - if (($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment'])) { + if (($groupPermission && $userPermission) && !empty($permission['dlattachment']) && $permission['dlattachment'] === true) { Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: - if (($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment'])) { + if (($groupPermission && $userPermission) && !empty($permission['dlattachment']) && $permission['dlattachment'] === true) { CODE_BLOCK: - if (($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment'])) { + if (($groupPermission && $userPermission) && !empty($permission['dlattachment']) && $permission['dlattachment'] === true) { - CWE: CWE-284 / CWE-862 - CVSS v3.1: 6.5 (Medium) - Attack Vector: Network (Authenticated) - Impact: Confidentiality Loss - Privileges Required: Low (Any valid user) - Exploit Status: PoC Available - phpMyFAQ: <= 3.2.13 (Fixed in: 3.2.14) - Internal Research: The PoC is trivial: authentication followed by a direct GET request to the attachment endpoint. - Upgrade to phpMyFAQ v3.2.14 or later. - Manually patch attachment.php to replace isset() with value checks. - Disable the attachment functionality entirely via configuration if patching is not possible. - Backup your phpMyFAQ database and files. - Download the latest release from the official phpMyFAQ repository. - Replace the application files with the new version. - Verify the fix by attempting to download an attachment with a restricted user account. - GHSA Advisory - Official Vendor Site