Skip to main content

phpBB EUVDEUVD-2026-36377

| CVE-2026-47366 HIGH
Improper Access Control (CWE-284)
2026-06-12 hackerone GHSA-f8mc-8mhv-jcrc
7.2
CVSS 3.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

ACP is network-reachable (AV:N), exploitation is a single request (AC:L), requires an existing administrator account (PR:H), no user interaction, and yields full board takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.2
Analysis Generated
Jun 12, 2026 - 03:45 vuln.today

DescriptionCVE.org

Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface.

AnalysisAI

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions beyond their authorized scope through the Administration Control Panel (ACP), enabling elevation to full administrative control over the forum. The flaw stems from improper verification of access permissions when permissions are modified via the ACP, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain limited ACP admin account
Delivery
Authenticate to /adm/ control panel
Exploit
Submit crafted permission-modification request
Execution
Bypass per-permission authorization check
Persist
Grant self founder/a_* rights
Impact
Take over board and exfiltrate user data

Vulnerability AssessmentAI

Exploitation Attacker must hold an authenticated administrator session on the target phpBB board with access to the Administration Control Panel permission-modification screens (CVSS PR:H), but does NOT need founder/full-admin rights - the bug is that a lower-tier administrator can grant themselves permissions beyond their authorized set. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H scores 7.2 (High), driven by full CIA impact once exploited but tempered by the PR:H requirement - the attacker must already hold a high-privilege ACP account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A community board promotes a long-time moderator to a limited 'forum administrator' role intended only to manage forums and announcements; the moderator logs into the ACP, opens a permissions edit form for their own user or group, and submits a request that assigns founder-equivalent or a_* permissions that the role should not be allowed to grant, then uses the newly-acquired rights to read private messages, exfiltrate the user table, or take over the board. No public exploit identified at time of analysis, and AC:L plus UI:N indicate the action is a straightforward ACP HTTP request once the limited admin session is held.
Remediation Upgrade to the patched phpBB release identified in the vendor announcement at https://www.phpbb.com/community/viewtopic.php?t=2672170; the exact fixed version was not included in the input data, so administrators should consult that topic for the released patched version (no patch version independently confirmed from the available data). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy