Executive Summary
A missing authentication vulnerability has been identified in the jairiidriss/restaurant-website-php-mysql open-source project. The flaw, tracked as CVE-2026-14622, resides in the /admin/ajax_files AJAX endpoint and allows any unauthenticated remote attacker to interact with administrative functionality that should be access-controlled. The vulnerability carries a CVSS score of 7.3 (High).
CVSS Score: 7.3 (High)
The issue was disclosed through the NVD on July 4, 2026. The affected codebase is a PHP/MySQL-based restaurant website template. While not a widely deployed enterprise product, public-facing deployments of this project or forks of it are exposed to unauthorized access to administrative AJAX operations.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-14622 |
| CVSS Score | 7.3 (High) |
| Type | Missing Authentication (CWE-306) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity | Low |
| Availability | Low |
Affected Versions
| Project | Affected Commit | Status |
|---|---|---|
| jairiidriss/restaurant-website-php-mysql | Up to 521428b5b612449df0cf4a5d15ee40cba67f3d35 | No official patch confirmed |
Technical Details
The vulnerability exists in the /admin/ajax_files component, which handles AJAX requests intended for administrative use. The endpoint fails to enforce authentication checks before processing incoming requests, meaning an attacker can craft requests directly to this endpoint from the network without providing any credentials.
Attack Scenario
1. Attacker identifies a publicly accessible instance of restaurant-website-php-mysql
2. Attacker sends direct HTTP request to /admin/ajax_files endpoint
3. Server processes request without verifying caller identity
4. Attacker can read, modify, or manipulate data handled by the endpoint
5. Depending on endpoint functionality: menu items, orders, or admin data may be exposedWhy This Matters
AJAX endpoints exposed without authentication are a common pattern in legacy PHP applications. While the affected project may appear niche, the same vulnerability class appears frequently across:
- Restaurant and small business PHP templates
- CMS themes and plugins with admin-only API routes
- Legacy codebases where authentication was not applied consistently to all routes
Any organization running a fork or derivative of this codebase should audit their AJAX endpoint authentication.
Remediation
Immediate Steps
- Restrict access to
/admin/ajax_filesat the web server level (Apache.htaccessor Nginxlocationblock) to require authentication or limit to trusted IPs. - Audit all AJAX endpoints in the project for missing
session_start()and authentication checks. - Apply authentication middleware to every admin AJAX handler.
Code-Level Fix Pattern
<?php
// At the top of every admin AJAX handler
session_start();
if (!isset($_SESSION['admin_logged_in']) || $_SESSION['admin_logged_in'] !== true) {
http_response_code(401);
echo json_encode(['error' => 'Unauthorized']);
exit;
}
// ... rest of handler logicWeb Server Restriction (Apache)
# .htaccess — restrict admin AJAX to authenticated sessions only
<Files "ajax_files">
Require valid-user
AuthType Basic
AuthName "Admin Area"
AuthUserFile /path/to/.htpasswd
</Files>Web Server Restriction (Nginx)
location /admin/ajax_files {
deny all;
# Or restrict to internal IP range:
# allow 192.168.0.0/16;
# deny all;
}Detection
Monitor your web access logs for unexpected requests to admin AJAX endpoints from external IP addresses:
# Check for requests to admin AJAX endpoints from external sources
grep "ajax_files" /var/log/apache2/access.log | grep -v "192.168."
# Count by source IP to identify scanning activity
grep "ajax_files" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20