Announcement-ID: PMASA-2022-1

Date: 2022-01-10


Two factor authentication bypass


There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass.

Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status.


We do not consider this vulnerability to be severe due to the steps required to prepare for the attack and access required. Further, as noted above, a user is permitted to disable two factor authentication through conventional means.

Affected Versions

phpMyAdmin versions of the 4.9 branch prior to 4.9.8 and 5.1 prior to 5.1.2 are affected.


Upgrade to phpMyAdmin 4.9.8, 5.1.2, or newer or apply patch listed below.


phpMyAdmin team member William Desportes discovered this weakness

Assigned CVE ids: CVE-2022-23807

CWE ids: CWE-661


The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is