Skip to main content

phpBB CVE-2026-29199

| EUVDEUVD-2026-26892 HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-05-04 hackerone GHSA-7gm6-w7mx-58cr
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 20:22 vuln.today
CVSS changed
May 04, 2026 - 20:22 NVD
8.1 (HIGH)
EUVD ID Assigned
May 04, 2026 - 07:00 euvd
EUVD-2026-26892
CVE Published
May 04, 2026 - 05:42 nvd
N/A

DescriptionCVE.org

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

AnalysisAI

Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.

Technical ContextAI

This vulnerability exploits improper validation of the HTTP Host header in phpBB's password reset functionality. When the force_server_vars configuration option is disabled (non-default in some deployments), phpBB extracts the server hostname directly from the user-supplied Host header to construct password reset URLs. This represents CWE-640 (Weak Password Recovery Mechanism for Forgotten Password), where the application trusts unvalidated client input for security-critical URL generation. The attack relies on webserver misconfiguration or missing header validation at the reverse proxy/load balancer layer. Affected versions span phpBB 3.0.0 through 3.3.15 per CPE data, covering over a decade of releases. The vulnerability requires the webserver to accept arbitrary Host header values and forward them to phpBB without sanitization.

RemediationAI

Upgrade to phpBB 3.3.16 or later immediately, which addresses the Host header injection vulnerability. For installations unable to upgrade immediately, enable the force_server_vars configuration option in phpBB's config.php to force hostname extraction from server variables rather than HTTP headers, though this may require additional webserver configuration to set correct SERVER_NAME values. Implement Host header validation at the webserver or reverse proxy layer by configuring an explicit whitelist of allowed Host values and rejecting requests with unrecognized headers-note this may break legitimate access through alternative domains or IP addresses if not carefully configured. For nginx, use 'if ($host !~* ^(forum\.example\.com)$) { return 444; }' directives; for Apache, use mod_rewrite rules to validate Host header. Monitor password reset request logs for suspicious patterns such as external domains in generated URLs. Reference the HackerOne report at https://hackerone.com/reports/3543246 for additional technical details. Each mitigation has trade-offs: force_server_vars requires proper server configuration, header validation may block legitimate multi-domain access, and upgrade requires testing for compatibility with custom modifications.

More in Phpbb

View all
CVE-2026-48611 CRITICAL POC
9.8 Jun 12

Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting defa

CVE-2018-19274 HIGH POC
7.2 Nov 17

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Inject

CVE-2019-13376 MEDIUM POC
6.5 Sep 27

phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote A

CVE-2019-16993 HIGH
8.8 Sep 30

In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in

CVE-2026-48612 HIGH
8.0 Jun 12

Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to

CVE-2019-9826 HIGH
7.5 May 02

The fulltext search component in phpBB before 3.2.6 allows Denial of Service. Rated high severity (CVSS 7.5), this vulne

CVE-2026-47366 HIGH
7.2 Jun 12

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions

CVE-2015-1432 MEDIUM
6.8 Feb 10

The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the fo

CVE-2020-5502 MEDIUM
6.5 Jan 15

phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships. Rated medium severity (CVSS 6.5), this vuln

CVE-2015-3880 MEDIUM
6.1 Sep 19

Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of G

CVE-2023-5917 MEDIUM
6.1 Nov 02

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10.php of the component Smiley P

CVE-2026-48613 MEDIUM
5.9 Jun 12

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profi

Share

CVE-2026-29199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy