Skip to main content

phpBB EUVDEUVD-2026-36375

| CVE-2026-48611 CRITICAL
Improper Authentication (CWE-287)
2026-06-12 hackerone GHSA-24pr-8ggp-h88c
9.8
CVSS 3.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Description confirms remote unauthenticated account hijacking on default installs with no user interaction, yielding full C/I/A impact on the compromised account context.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 03:43 vuln.today

DescriptionCVE.org

Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

AnalysisAI

Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting default installations even when OAuth is not configured or enabled. Remote unauthenticated attackers can gain unauthorized access to arbitrary accounts on the forum platform, with no public exploit identified at time of analysis despite the critical 9.8 CVSS score.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed phpBB forum
Delivery
Send crafted request to OAuth endpoint
Exploit
Bypass authentication checks
Execution
Hijack target account session
Impact
Access or escalate to administrative privileges

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of phpBB. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N indicates remote, network-reachable, low-complexity exploitation with no authentication and no user interaction, scoring 9.8 critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker sends specially crafted requests to the OAuth authentication endpoints of a target phpBB forum, abusing the flawed authentication checks to associate or assume the identity of an existing account - including administrative accounts - without needing valid credentials. Because the flaw triggers on default installations regardless of OAuth configuration, any internet-reachable phpBB site is a candidate target. …
Remediation Patch available per vendor advisory - administrators should consult the phpBB community advisory at https://www.phpbb.com/community/viewtopic.php?t=2672170 and upgrade to the fixed release identified there as soon as practical, since no exact fix version was provided in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all phpBB installations and their versions; assess exposure scope; notify forum administrators and relevant stakeholders. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36375 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy