Critical CVE-2026-48611 Vulnerability Allows OAuth Account Hijacking

CVE-2026-48611 has been identified as a critical vulnerability due to improper authentication checks in OAuth implementations, allowing account hijacking even when OAuth is disabled. This flaw affects default installations of phpBB versions below 3.3.16, enabling unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability has been assigned a CVSS score of 9.8, indicating its critical nature. Currently, there is no evidence of public proof-of-concept or active exploitation. Security experts recommend applying the patch available via GitHub Advisory immediately or disabling OAuth functionality if not needed. Organizations should also audit account access logs for any signs of unauthorized activity. The vulnerability was published on June 12, 2026.

Key Points: • CVE-2026-48611 is a critical vulnerability with a CVSS score of 9.8. • It allows account hijacking through improper OAuth authentication checks. • Immediate patching is recommended to mitigate risks associated with this flaw.