What is the severity of CVE-2026-24421?

CVE-2026-24421 has a CVSS v3 score of 6.5, which is classified as Medium severity.

Is there an exploit available for CVE-2026-24421?

No known public exploits are currently available for CVE-2026-24421.

Is there a patch available for CVE-2026-24421?

No official patches have been released yet for CVE-2026-24421. Consider implementing workarounds or mitigations.

CVE-2026-24421 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-24421?

### Summary Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. ### Details SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path. ### PoC Precondition: API enabled, any authenticated non‑admin user. - Log in as a non‑admin user. - Call backup endpoint. ``` curl -c /tmp/pmf_api_cookies.txt \ -H 'Content-Type: application/json' \ -d '{"username":"tester","password":"Test1234!"}' \ http://192.168.40.16/phpmyfaq/api/v3.0/login curl -i -b /tmp/pmf_api_cookies.txt \ -X POST --data '4.0.16' \ http://192.168.40.16/phpmyfaq/api/setup/backup ``` ### Impact Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.

CVE-2026-24421 - CVE Details, Severity, and Analysis | Strobes VI

Severity Scores

CVSS v36.5

CVSS v20.0

Priority Score260.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

6.5

CVSS

Exploit

Patch

Medium Priority

no patch

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.

Details

SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.

PoC

Precondition: API enabled, any authenticated non‑admin user.

Log in as a non‑admin user.
Call backup endpoint.

curl -c /tmp/pmf_api_cookies.txt \
  -H 'Content-Type: application/json' \
  -d '{"username":"tester","password":"Test1234!"}' \
  http://192.168.40.16/phpmyfaq/api/v3.0/login

curl -i -b /tmp/pmf_api_cookies.txt \
  -X POST --data '4.0.16' \
  http://192.168.40.16/phpmyfaq/api/setup/backup

Impact

Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:Network

Availability:Network

Trend Analysis

Neutral

Advisories

GitHub Advisory NVD