{"id":"CVE-2026-27836","summary":"phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint","details":"phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue.","aliases":["GHSA-w22q-m2fm-x9f4"],"modified":"2026-04-10T05:37:24.991703Z","published":"2026-02-27T19:54:51.992Z","database_specific":{"cwe_ids":["CWE-862"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27836.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27836.json"},{"type":"ADVISORY","url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w22q-m2fm-x9f4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27836"},{"type":"FIX","url":"https://github.com/thorsten/phpMyFAQ/commit/f2ab673f0668753cd0f7c7c8bc7fd2304dcf5cb1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/thorsten/phpmyfaq","events":[{"introduced":"0"},{"fixed":"d566a739c118506a391fd4a9f2fd96dcf8f9b635"}]}],"versions":["2.10.0-alpha","2.6.0","2.6.0-RC","2.6.0-alpha","2.6.0-beta","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.7.0-RC","2.7.0-alpha","2.7.0-alpha2","2.7.0-beta","2.7.0-beta2","2.7.0-beta3","2.8.0","2.8.0-RC","2.8.0-RC2","2.8.0-RC3","2.8.0-RC4","2.8.0-alpha2","2.8.0-alpha3","2.8.0-beta","2.8.0-beta2","2.8.0-beta3","2.8.1","2.8.2","2.9.0","2.9.0-RC","2.9.0-RC2","2.9.0-RC3","2.9.0-RC4","2.9.0-alpha","2.9.0-alpha2","2.9.0-alpha3","2.9.0-alpha4","2.9.0-beta","2.9.0-beta2","3.0.0-alpha","3.0.0-alpha.2","3.0.0-alpha.3","3.0.0-alpha.4","3.0.0-beta","3.0.0-beta.2","3.0.0-beta.3","3.1.0-RC","3.1.0-alpha","3.1.0-alpha.2","3.1.0-alpha.3","3.1.0-beta","3.2.0-alpha","3.2.0-beta","3.2.0-beta.2","4.0.0","4.0.0-RC","4.0.0-RC.2","4.0.0-RC.3","4.0.0-RC.4","4.0.0-RC.5","4.0.0-alpha","4.0.0-alpha.2","4.0.0-alpha.3","4.0.0-alpha.4","4.0.0-beta","4.0.0-beta.2","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.16","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","development-nightly-2023-07-02","development-nightly-2023-07-03","development-nightly-2023-07-04","development-nightly-2023-07-05","development-nightly-2023-07-06","development-nightly-2023-07-07","development-nightly-2023-07-08","development-nightly-2023-07-09","development-nightly-2023-07-10","development-nightly-2023-07-11","development-nightly-2023-07-12","development-nightly-2023-07-13","development-nightly-2023-07-14","development-nightly-2023-07-15","development-nightly-2023-07-16","development-nightly-2023-07-17","development-nightly-2023-07-18","development-nightly-2023-07-19","development-nightly-2023-07-20","development-nightly-2023-07-21","development-nightly-2023-07-22","development-nightly-2023-07-23","development-nightly-2023-07-24","development-nightly-2023-07-25","development-nightly-2023-07-26","development-nightly-2023-07-27","development-nightly-2023-07-28","development-nightly-2023-07-29","development-nightly-2023-07-30","development-nightly-2023-07-31","development-nightly-2023-08-01","development-nightly-2023-08-02","development-nightly-2023-08-03","development-nightly-2023-08-04","development-nightly-2023-08-05","development-nightly-2023-08-06","development-nightly-2023-08-07","development-nightly-2023-08-08","development-nightly-2023-08-09","development-nightly-2023-08-10","development-nightly-2023-08-11","development-nightly-2023-08-12","development-nightly-2023-08-13","development-nightly-2023-08-14","development-nightly-2023-08-15","development-nightly-2023-08-16","development-nightly-2023-08-17","development-nightly-2023-08-18","development-nightly-2023-08-19","development-nightly-2023-08-20","development-nightly-2023-08-21","development-nightly-2023-08-22","development-nightly-2023-08-23","development-nightly-2023-08-24","development-nightly-2023-08-25","development-nightly-2023-08-26","development-nightly-2023-08-27","development-nightly-2023-08-28","development-nightly-2023-08-29","development-nightly-2023-08-30","development-nightly-2023-08-31","development-nightly-2023-09-01","development-nightly-2023-09-02","development-nightly-2023-09-03","development-nightly-2023-09-04","development-nightly-2023-09-05","development-nightly-2023-09-06","development-nightly-2023-09-07","development-nightly-2023-09-08","development-nightly-2023-09-09","development-nightly-2023-09-10","development-nightly-2023-09-11","development-nightly-2023-09-12","development-nightly-2023-09-13","development-nightly-2023-09-14","development-nightly-2023-09-15","development-nightly-2023-09-16","development-nightly-2023-09-17","development-nightly-2023-09-18","development-nightly-2023-09-19","development-nightly-2023-09-20","development-nightly-2023-09-21","development-nightly-2023-09-22","development-nightly-2023-09-23","development-nightly-2023-09-24","development-nightly-2023-09-25","development-nightly-2023-09-26","development-nightly-2023-09-27","development-nightly-2023-09-28","development-nightly-2023-09-29","development-nightly-2023-09-30","development-nightly-2023-10-01","development-nightly-2023-10-02","development-nightly-2023-10-03","development-nightly-2023-10-04","development-nightly-2023-10-05","development-nightly-2023-10-06","development-nightly-2023-10-07","development-nightly-2023-10-08","development-nightly-2023-10-09","development-nightly-2023-10-10","development-nightly-2023-10-11","development-nightly-2023-10-12","development-nightly-2023-10-13","development-nightly-2023-10-14","development-nightly-2023-10-15","development-nightly-2023-10-16","development-nightly-2023-10-17","development-nightly-2023-10-18","development-nightly-2023-10-19","development-nightly-2023-10-20","development-nightly-2023-10-21","development-nightly-2023-10-22","development-nightly-2023-10-23","development-nightly-2023-10-24","development-nightly-2023-10-25","development-nightly-2023-10-26","development-nightly-2023-10-27","development-nightly-2023-10-28","development-nightly-2023-10-29","development-nightly-2023-10-30","development-nightly-2023-10-31","development-nightly-2023-11-01","development-nightly-2023-11-02","development-nightly-2023-11-03","development-nightly-2023-11-04","development-nightly-2023-11-05","development-nightly-2023-11-06","development-nightly-2023-11-07","development-nightly-2023-11-08","development-nightly-2023-11-09","development-nightly-2023-11-10","development-nightly-2023-11-11","development-nightly-2023-11-12","development-nightly-2023-11-13","development-nightly-2023-11-14","development-nightly-2023-11-15","development-nightly-2023-11-16","development-nightly-2023-11-17","development-nightly-2023-11-18","development-nightly-2023-11-19","development-nightly-2023-11-20","development-nightly-2023-11-21","development-nightly-2023-11-22","development-nightly-2023-11-23","development-nightly-2023-11-24","development-nightly-2023-11-25","development-nightly-2023-11-26","development-nightly-2023-11-27","development-nightly-2023-11-28","development-nightly-2023-11-29","development-nightly-2023-11-30","development-nightly-2023-12-01","development-nightly-2023-12-02","development-nightly-2023-12-03","development-nightly-2023-12-04","development-nightly-2023-12-05","development-nightly-2023-12-06","development-nightly-2023-12-07","development-nightly-2023-12-08","development-nightly-2023-12-09","development-nightly-2023-12-10","development-nightly-2023-12-11","development-nightly-2023-12-12","development-nightly-2023-12-13","development-nightly-2023-12-14","development-nightly-2023-12-15","development-nightly-2023-12-16","development-nightly-2023-12-17","development-nightly-2023-12-18","development-nightly-2023-12-19","development-nightly-2023-12-20","development-nightly-2023-12-21","development-nightly-2023-12-22","development-nightly-2023-12-23","development-nightly-2023-12-24","development-nightly-2023-12-25","development-nightly-2023-12-26","development-nightly-2023-12-27","development-nightly-2023-12-28","development-nightly-2023-12-29","development-nightly-2023-12-30","development-nightly-2023-12-31","development-nightly-2024-01-01","development-nightly-2024-01-02","development-nightly-2024-01-03","development-nightly-2024-01-04","development-nightly-2024-01-05","development-nightly-2024-01-06","development-nightly-2024-01-07","development-nightly-2024-01-08","development-nightly-2024-01-09","development-nightly-2024-01-10","development-nightly-2024-01-11","development-nightly-2024-01-12","development-nightly-2024-01-13","development-nightly-2024-01-14","development-nightly-2024-01-15","development-nightly-2024-01-16","development-nightly-2024-01-17","development-nightly-2024-01-18","development-nightly-2024-01-19","development-nightly-2024-01-20","development-nightly-2024-01-21","development-nightly-2024-01-22","development-nightly-2024-01-23","development-nightly-2024-01-24","development-nightly-2024-01-25","development-nightly-2024-01-26","development-nightly-2024-01-27","development-nightly-2024-01-28","development-nightly-2024-01-29","development-nightly-2024-01-30","development-nightly-2024-01-31","development-nightly-2024-02-01","development-nightly-2024-02-02","development-nightly-2024-02-03","development-nightly-2024-02-04","development-nightly-2024-02-05","development-nightly-2024-02-06","development-nightly-2024-02-07","development-nightly-2024-02-08","development-nightly-2024-02-09","development-nightly-2024-02-10","development-nightly-2024-02-11","development-nightly-2024-02-12","development-nightly-2024-02-13","development-nightly-2024-02-14","development-nightly-2024-02-15","development-nightly-2024-02-16","development-nightly-2024-02-17","development-nightly-2024-02-18","development-nightly-2024-02-19","development-nightly-2024-02-20","development-nightly-2024-02-21","development-nightly-2024-02-22","development-nightly-2024-02-23","development-nightly-2024-02-24","development-nightly-2024-02-25","development-nightly-2024-02-26","development-nightly-2024-02-27","development-nightly-2024-02-28","development-nightly-2024-02-29","development-nightly-2024-03-01","development-nightly-2024-03-02","development-nightly-2024-03-03","development-nightly-2024-03-04","development-nightly-2024-03-05","development-nightly-2024-03-06","development-nightly-2024-03-07","development-nightly-2024-03-08","development-nightly-2024-03-09","development-nightly-2024-03-10","development-nightly-2024-03-11","development-nightly-2024-03-12","development-nightly-2024-03-13","development-nightly-2024-03-14","development-nightly-2024-03-15","development-nightly-2024-03-16","development-nightly-2024-03-17","development-nightly-2024-03-18","development-nightly-2024-03-19","development-nightly-2024-03-20","development-nightly-2024-03-21","development-nightly-2024-03-22","development-nightly-2024-03-23","development-nightly-2024-03-24","development-nightly-2024-03-25","development-nightly-2024-03-26","development-nightly-2024-03-27","development-nightly-2024-03-28","development-nightly-2024-03-29","development-nightly-2024-03-30","development-nightly-2024-03-31","development-nightly-2024-04-01","development-nightly-2024-04-02","development-nightly-2024-04-03","development-nightly-2024-04-04","development-nightly-2024-04-05","development-nightly-2024-04-06","development-nightly-2024-04-07","development-nightly-2024-04-08","development-nightly-2024-04-09","development-nightly-2024-04-10","development-nightly-2024-04-11","development-nightly-2024-04-12","development-nightly-2024-04-13","development-nightly-2024-04-14","development-nightly-2024-04-15","development-nightly-2024-04-16","development-nightly-2024-04-17","development-nightly-2024-04-18","development-nightly-2024-04-19","development-nightly-2024-04-20","development-nightly-2024-04-21","development-nightly-2024-04-22","development-nightly-2024-04-23","development-nightly-2024-04-24","development-nightly-2024-04-25","development-nightly-2024-04-26","development-nightly-2024-04-27","development-nightly-2024-04-28","development-nightly-2024-04-29","development-nightly-2024-04-30","development-nightly-2024-05-01","development-nightly-2024-05-02","development-nightly-2024-05-03","development-nightly-2024-05-04","development-nightly-2024-05-05","development-nightly-2024-05-06","development-nightly-2024-05-07","development-nightly-2024-05-08","development-nightly-2024-05-09","development-nightly-2024-05-10","development-nightly-2024-05-11","development-nightly-2024-05-12","development-nightly-2024-05-13","development-nightly-2024-05-14","development-nightly-2024-05-15","development-nightly-2024-05-16","development-nightly-2024-05-17","development-nightly-2024-05-18","development-nightly-2024-05-19","development-nightly-2024-05-20","development-nightly-2024-05-21","development-nightly-2024-05-22","development-nightly-2024-05-23","development-nightly-2024-05-24","development-nightly-2024-05-25","development-nightly-2024-05-26","development-nightly-2024-05-27","development-nightly-2024-05-28","development-nightly-2024-05-29","development-nightly-2024-05-30","development-nightly-2024-05-31","development-nightly-2024-06-01","development-nightly-2024-06-02","development-nightly-2024-06-03","development-nightly-2024-06-04","development-nightly-2024-06-05","development-nightly-2024-06-06","development-nightly-2024-06-07","development-nightly-2024-06-08","development-nightly-2024-06-09","development-nightly-2024-06-10","development-nightly-2024-06-11","development-nightly-2024-06-12","development-nightly-2024-06-13","development-nightly-2024-06-14","development-nightly-2024-06-15","development-nightly-2024-06-16","development-nightly-2024-06-17","development-nightly-2024-06-18","development-nightly-2024-06-19","development-nightly-2024-06-20","development-nightly-2024-06-21","development-nightly-2024-06-22","development-nightly-2024-06-23","development-nightly-2024-06-24","development-nightly-2024-06-25","development-nightly-2024-06-26","development-nightly-2024-06-27","development-nightly-2024-06-28","development-nightly-2024-06-29","development-nightly-2024-06-30","development-nightly-2024-07-01","development-nightly-2024-07-02","development-nightly-2024-07-03","development-nightly-2024-07-04","development-nightly-2024-07-05","development-nightly-2024-07-06","development-nightly-2024-07-07","development-nightly-2024-07-08","development-nightly-2024-07-09","development-nightly-2024-07-10","development-nightly-2024-07-11","development-nightly-2024-07-12","development-nightly-2024-07-13","development-nightly-2024-07-14","development-nightly-2024-07-15","development-nightly-2024-07-16","development-nightly-2024-07-17","development-nightly-2024-07-18","development-nightly-2024-07-19","development-nightly-2024-07-20","development-nightly-2024-07-21","development-nightly-2024-07-22","development-nightly-2024-07-23","development-nightly-2024-07-24","development-nightly-2024-07-25","development-nightly-2024-07-26","development-nightly-2024-07-27","development-nightly-2024-07-28","development-nightly-2024-07-29","development-nightly-2024-07-30","development-nightly-2024-07-31","development-nightly-2024-08-01","development-nightly-2024-08-02","development-nightly-2024-08-03","development-nightly-2024-08-04","development-nightly-2024-08-05","development-nightly-2024-08-06","development-nightly-2024-08-07","development-nightly-2024-08-08","development-nightly-2024-08-09","development-nightly-2024-08-10","development-nightly-2024-08-11","development-nightly-2024-08-12","development-nightly-2024-08-13","development-nightly-2024-08-14","development-nightly-2024-08-15","development-nightly-2024-08-16","development-nightly-2024-08-17","development-nightly-2024-08-18","development-nightly-2024-08-19","development-nightly-2024-08-20","development-nightly-2024-08-21","development-nightly-2024-08-22","development-nightly-2024-08-23","development-nightly-2024-08-24","development-nightly-2024-08-25","development-nightly-2024-08-26","development-nightly-2024-08-27","development-nightly-2024-08-28","development-nightly-2024-08-29","development-nightly-2024-08-30","development-nightly-2024-08-31","development-nightly-2024-09-01","development-nightly-2024-09-02","development-nightly-2024-09-03","development-nightly-2024-09-04","development-nightly-2024-09-05","development-nightly-2024-09-06","development-nightly-2024-09-07","development-nightly-2024-09-08","development-nightly-2024-09-09","development-nightly-2024-09-10","development-nightly-2024-09-11","development-nightly-2024-09-12","development-nightly-2024-09-13","development-nightly-2024-09-14","development-nightly-2024-09-15","development-nightly-2024-09-16","development-nightly-2024-09-17","development-nightly-2024-09-18","development-nightly-2024-09-19","development-nightly-2024-09-20","development-nightly-2024-09-21","development-nightly-2024-09-22","development-nightly-2024-09-23","development-nightly-2024-09-24","development-nightly-2024-09-25","development-nightly-2024-09-26","development-nightly-2024-09-27","development-nightly-2024-09-28","development-nightly-2024-09-29","development-nightly-2024-09-30","development-nightly-2024-10-01","development-nightly-2024-10-02","development-nightly-2024-10-03","development-nightly-2024-10-04","development-nightly-2024-10-05","development-nightly-2024-10-06","development-nightly-2024-10-07","development-nightly-2024-10-08","development-nightly-2024-10-09","development-nightly-2024-10-10","development-nightly-2024-10-11","development-nightly-2024-10-12","development-nightly-2024-10-13","development-nightly-2024-10-14","development-nightly-2024-10-15","development-nightly-2024-10-16","development-nightly-2024-10-17","development-nightly-2024-10-18","development-nightly-2024-10-19","development-nightly-2024-10-20","development-nightly-2024-10-21","development-nightly-2024-10-22","development-nightly-2024-10-23","development-nightly-2024-10-24","development-nightly-2024-10-25","development-nightly-2024-10-26","development-nightly-2024-10-27"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27836.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}