Critical phpBB Flaw Lets Attackers Hijack Any Account with One Request

A critical flaw in the phpBB forum software has been disclosed that lets attackers hijack any account, including administrators, with a single unauthenticated request and no password.

Tracked as PTT-2026-004 and rated 9.4 on the CVSS scale, the flaw is pending an official CVE ID. The authentication bypass was discovered by Dan Stefan Alexandru of Pentest-Tools.com and reported to phpBB on June 4.

Every phpBB version up to 3.3.16 is affected in its default database-authentication mode, meaning a standard install is exposed out of the box. The 4.0.0 alpha is vulnerable too.

Pulling off the attack requires only a target's username. On a default forum the member list is public, so an attacker can simply read off names to choose a victim.

Read more on account takeover flaws: Critical Appsmith Flaw Enables Account Takeovers

A successful request hands the attacker a valid session as the chosen account. What that unlocks depends on the victim:

• Private messages and any content the targeted user can see

• Full read, write and delete access across the forum if that user is an administrator

• No way into the Administration Control Panel, which still demands the admin's password

That last barrier limits how far an intruder can escalate, but it does nothing to shield the private content and member data already exposed by a forum-level takeover.

A Second Flaw Hits OAuth Logins

A second vulnerability, PTT-2026-005, affects boards that have switched on OAuth login through Google, Facebook or Bitly rather than the default. Rated 8.3, it chains a cross-site request forgery weakness with missing OAuth state validation.

An attacker who gets a logged-in victim to load a crafted URL can silently bind their own OAuth credential to the victim's account, enabling a full account takeover with no click required. The link can hide in an image tag in a post or private message, firing as soon as the page loads.

The malicious binding persists in phpBB's database until an admin or the victim notices and removes it.

phpBB fixed both issues in version 3.3.17, released on June 6, and the developers urged admins to upgrade, the only complete fix for PTT-2026-004.

Boards that cannot patch straight away and have OAuth enabled can close the second hole by turning OAuth off and reverting to database authentication, then auditing the OAuth account table for entries no one recognizes.