Critical phpBB Flaw Allows Account Hijacking with Single Request
A critical authentication bypass vulnerability in phpBB, tracked as PTT-2026-004, enables attackers to hijack any user account, including administrators, with a single crafted request.
A critical flaw discovered in the widely-used phpBB forum software allows attackers to hijack any user account, including administrative accounts, with a single unauthenticated request and without needing the victim's password. The vulnerability, currently designated PTT-2026-004 and pending an official CVE ID, has been rated with a CVSS score of 9.4, indicating its severe impact. It was discovered by Dan Stefan Alexandru of Pentest-Tools.com and reported to phpBB on June 4.
This authentication bypass affects all phpBB versions up to and including 3.3.16 when using the default database-authentication mode. Notably, the 4.0.0 alpha version is also vulnerable. The ease of exploitation is amplified by the fact that a target's username is the only piece of information required. On a default phpBB installation, the member list is publicly accessible, allowing attackers to easily identify and select victims.
Upon successful exploitation, the attacker gains a valid session as the targeted user. The implications of this session takeover vary depending on the victim's privileges. For a regular user, this could grant access to private messages and any content the user can view. If the targeted user is an administrator, the attacker gains full read, write, and delete access across the entire forum. However, access to the Administration Control Panel itself still requires the administrator's password, posing a limitation to complete system control.
In addition to the critical account takeover flaw, a second vulnerability (PTT-2026-005) has been disclosed, affecting phpBB installations that utilize OAuth logins for services like Google, Facebook, or Bitly. This vulnerability, rated 8.3, combines a cross-site request forgery (CSRF) weakness with insufficient validation of OAuth state parameters. An attacker can exploit this by tricking a logged-in victim into visiting a crafted URL, which then silently binds the attacker's own OAuth credential to the victim's account.
This second vulnerability enables a full account takeover without any direct user interaction beyond visiting the malicious link, which could be hidden within an image tag in a forum post or private message. The malicious OAuth binding persists in the phpBB database until an administrator or the victim manually removes it, posing a significant risk to users who have enabled OAuth authentication.
phpBB has addressed both vulnerabilities by releasing version 3.3.17 on June 6. The developers strongly urge all administrators to upgrade to this latest version as it provides the complete fix for the critical authentication bypass (PTT-2026-004). For the OAuth vulnerability (PTT-2026-005), boards that cannot immediately patch can mitigate the risk by disabling OAuth logins, reverting to database authentication, and auditing their OAuth account tables for any unrecognized entries.
The disclosure of these vulnerabilities highlights the ongoing challenges in securing web-based applications, particularly those with large user bases and complex authentication mechanisms. The ease with which the primary flaw can be exploited, requiring only a username and a single request, underscores the need for prompt patching and regular security audits of forum software.