Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description confirms remote unauthenticated account hijacking on default installs with no user interaction, yielding full C/I/A impact on the compromised account context.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
AnalysisAI
Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting default installations even when OAuth is not configured or enabled. Remote unauthenticated attackers can gain unauthorized access to arbitrary accounts on the forum platform, with no public exploit identified at time of analysis despite the critical 9.8 CVSS score.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of phpBB. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N indicates remote, network-reachable, low-complexity exploitation with no authentication and no user interaction, scoring 9.8 critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker sends specially crafted requests to the OAuth authentication endpoints of a target phpBB forum, abusing the flawed authentication checks to associate or assume the identity of an existing account - including administrative accounts - without needing valid credentials. Because the flaw triggers on default installations regardless of OAuth configuration, any internet-reachable phpBB site is a candidate target. … |
| Remediation | Patch available per vendor advisory - administrators should consult the phpBB community advisory at https://www.phpbb.com/community/viewtopic.php?t=2672170 and upgrade to the fixed release identified there as soon as practical, since no exact fix version was provided in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all phpBB installations and their versions; assess exposure scope; notify forum administrators and relevant stakeholders. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_var
Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to
Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions
SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profi
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36375
GHSA-24pr-8ggp-h88c