Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ACP is network-reachable (AV:N), exploitation is a single request (AC:L), requires an existing administrator account (PR:H), no user interaction, and yields full board takeover (C:H/I:H/A:H).
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface.
AnalysisAI
Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions beyond their authorized scope through the Administration Control Panel (ACP), enabling elevation to full administrative control over the forum. The flaw stems from improper verification of access permissions when permissions are modified via the ACP, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold an authenticated administrator session on the target phpBB board with access to the Administration Control Panel permission-modification screens (CVSS PR:H), but does NOT need founder/full-admin rights - the bug is that a lower-tier administrator can grant themselves permissions beyond their authorized set. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H scores 7.2 (High), driven by full CIA impact once exploited but tempered by the PR:H requirement - the attacker must already hold a high-privilege ACP account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A community board promotes a long-time moderator to a limited 'forum administrator' role intended only to manage forums and announcements; the moderator logs into the ACP, opens a permissions edit form for their own user or group, and submits a request that assigns founder-equivalent or a_* permissions that the role should not be allowed to grant, then uses the newly-acquired rights to read private messages, exfiltrate the user table, or take over the board. No public exploit identified at time of analysis, and AC:L plus UI:N indicate the action is a straightforward ACP HTTP request once the limited admin session is held. |
| Remediation | Upgrade to the patched phpBB release identified in the vendor announcement at https://www.phpbb.com/community/viewtopic.php?t=2672170; the exact fixed version was not included in the input data, so administrators should consult that topic for the released patched version (no patch version independently confirmed from the available data). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting defa
Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_var
Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to
SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36377
GHSA-f8mc-8mhv-jcrc