phpMyFAQ versions before 4.1.3 contain an authentication bypass vulnerability in API v4.0. The vulnerability stems from a default empty api.apiClientToken configuration that allows unauthenticated users to bypass token validation by sending an empty x-pmf-token header. Attackers can exploit this flaw to create and modify FAQ entries through specific POST endpoints including /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question. This allows unauthorized users to inject malicious content into the FAQ system without proper authentication. The vulnerability affects the API's token validation mechanism and could lead to content manipulation and potential further exploitation.