phpBB authentication bypass: introducing CVE-2026-48611 and CVE-2026-48612
Our security research team discovered two vulnerabilities in phpBB that let an attacker impersonate or hijack any user account, including admins, without knowing the password.
CVE-2026-48611 requires a single unauthenticated HTTP request and works on default phpBB installations. CVE-2026-48612 requires phpBB to have OAuth configured and the victim to be logged in when they access the attacker-supplied link.
CVE-2026-48611- authentication bypass in phpBB
CVE-2026-48611
What is CVE-2026-48611?
CVE-2026-48611 is an authentication bypass in phpBB that lets an attacker get a valid session as any active user, including administrators, with a single unauthenticated HTTP request.
No password, no prior access, and no user interaction required.
The vulnerability was discovered by Dan Stefan Alexandru of the Pentest-Tools.com security research team and reported to phpBB on June 4, 2026.
The fix shipped in phpBB 3.3.17 on June 6, 2026.
Affected software by CVE-2026-48611
All phpBB versions prior to 3.3.17 running with auth_method=db (the default) are affected.
Every default phpBB installation is exposed. phpBB 4.0.0-a2 is also affected.
Business impact of CVE-2026-48611
A successful attack gives the attacker a valid phpBB session as any active user.
For regular accounts, this means access to private messages and any content visible to that user. For administrator accounts, it means full read, write and delete access to the entire forum: posts, private boards, view user data, etc.
Exploitation requires only a known username. On default phpBB installations, the member list is publicly accessible, so an attacker can enumerate targets without any prior access.
Affected deployments include:
→ Any public phpBB forum running a version prior to 3.3.17 - the member list is visible by default, making username enumeration trivial.
→ Internal phpBB installations (company wikis, support boards) where the member list may be restricted - an attacker with internal network access or a known username can still exploit this.
→ phpBB 4.0.0-a2 alpha installations.
[Later edit: Jun 15, 2026]
Thank you to the anonymous reader who pointed out an attacker can, in fact, directly access the ACP panel after impersonating an admin user. We’ve updated the vulnerability description to reflect that.
Detection and scanning for CVE-2026-48611
You can detect vulnerable phpBB installations using the Network Scanner on Pentest-Tools.com. Detection is available on all paid plans. Here’s a sample finding for an exposed target you can include in your vulnerability assessment report or penetration report:
Mitigation for CVE-2026-48611
Patch. Upgrade to phpBB 3.3.17 or later. This is the only complete fix. There is no configuration workaround that fully closes this attack path on versions prior to 3.3.17.
After patching. Re-scan affected assets to confirm the fix is in place and no vulnerable instances remain.
Discovery and disclosure timeline for CVE-2026-48611
May 13, 2026: Vulnerability discovered by Dan Stefan Alexandru, Pentest-Tools.com security research team
June 4, 2026: Reported to phpBB security team by Dan Stefan Alexandru
June 6, 2026: phpBB 3.3.17 released
June 8, 2026: Public disclosure - this page published
References for CVE-2026-48611
CVE-2026-48612 - OAuth auth-link CSRF leading to account takeover
CVE-2026-48612
What is CVE-2026-48612?
CVE-2026-48612 is a chained vulnerability in phpBB's OAuth implementation that lets an attacker take over the account of any logged-in user who opens a single attacker-supplied URL.
Affected software by CVE-2026-48612
All phpBB versions prior to 3.3.17 where $config['auth_method'] is set to 'oauth' and at least one OAuth 2.0 provider (Google, Facebook, or Bitly) is configured with valid client credentials. Twitter (OAuth 1.0a) is not affected.
Default phpBB installations use auth_method = 'db' and are not exposed to CVE-2026-48612. This vulnerability only affects boards where an administrator has explicitly enabled OAuth authentication.
Business impact of CVE-2026-48612
A successful attack gives the attacker a permanent OAuth login credential for the victim's phpBB account. The binding persists in phpbb_oauth_accounts until an administrator removes it or the victim notices and revokes it.
For regular user accounts, the attacker gains access to private messages, any content visible to that user, and the ability to post or take moderation actions under the victim's identity. For administrator accounts, this extends to full forum management - user data, private boards, configuration, and the ability to moderate or delete any content.
phpBB's Administration Control Panel requires password re-authentication and does not offer OAuth login, so ACP-level functions are not reachable via this chain. Password and email changes also require the current password.
The attack can be delivered without any user clicking - by embedding the malicious URL inside an <img src="..."> tag in a forum post or private message. A victim's browser loads the image, making the GET request while the victim is authenticated, and the account link is created silently.
Affected deployments include any phpBB board where an administrator has enabled OAuth authentication with Google, Facebook, or Bitly as the provider.
Mitigation for CVE-2026-48612
Patch. Upgrade to phpBB 3.3.17 or later.
If you cannot patch immediately and your board has OAuth enabled, disable OAuth authentication in the administration panel (ACP > General > Authentication) and switch to auth_method=db until the upgrade is complete. This removes the attack surface entirely.
After patching. Audit phpbb_oauth_accounts for unexpected entries - rows where the oauth_provider_id does not match an account the user intentionally linked. Remove any suspicious entries.
Discovery and disclosure timeline for CVE-2026-48612
May 13, 2026: Vulnerability discovered by Dan Stefan Alexandru, Pentest-Tools.com security research team
June 4, 2026: Reported to phpBB security team by Dan Stefan Alexandru
June 6, 2026: phpBB 3.3.17 released
June 8, 2026: Public disclosure - this page published