Back

Critical phpBB Vulnerability Allows Account Hijacking via Single Request

Severity: High (Score: 72.0)

Sources: Infosecurity-Magazine, Aikido.Dev

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: critical, phpbb, vulnerability, bypass, flaw, lets, attackers

Severity indicators: critical, vulnerability, flaw, rce

Summary

A critical vulnerability in phpBB forum software enables attackers to hijack any account, including administrators, with a single unauthenticated request. This flaw, tracked as PTT-2026-004, affects all versions up to 3.3.16 and the 4.0.0-alpha version. Discovered by Dan Stefan Alexandru, it was reported to phpBB on June 4, 2026. The vulnerability is rated 9.4 on the CVSS scale and allows attackers to obtain a valid session for any user by simply knowing their username. The attack is particularly concerning as it exposes private messages and content accessible to the compromised account. Although the Administration Control Panel remains secure, the risk of data exposure is significant. phpBB released a patch (version 3.3.17) on June 6, 2026, urging users to upgrade immediately. A secondary vulnerability, PTT-2026-005, affects OAuth logins and can lead to account takeovers if not mitigated. Administrators are advised to disable OAuth if they cannot upgrade promptly. Key Points: • phpBB vulnerability allows account hijacking with a single unauthenticated request. • All versions up to 3.3.16 and 4.0.0-alpha are affected; patch released on June 6, 2026. • Attackers can access private messages and forum content, posing significant risks.

Detailed Analysis

**Impact** All phpBB forum instances running versions up to and including 3.3.16 and 4.0.0-alpha2 are affected, exposing millions of users globally, including large online communities with over 6 million members. Attackers can hijack any user account with a single unauthenticated request, gaining access to private messages and user content. Administrator accounts compromised enable full forum read, write, and delete capabilities, potentially leading to forum-wide data manipulation and exposure. OAuth-enabled boards face additional risks of silent OAuth credential binding, enabling full account takeover without user interaction. **Technical Details** The vulnerability (tracked as PTT-2026-004, CVSS 9.4) is an authentication bypass exploitable via a single HTTP request requiring only the target’s username, which is publicly available on default installations. A chained vulnerability (PTT-2026-005, CVSS 8.3) affects OAuth login implementations by combining CSRF and missing OAuth state validation, allowing silent OAuth credential binding. No malware or specific tools have been publicly identified; the attack occurs at the initial access and persistence stages of the kill chain. No official CVE ID has been assigned yet. **Recommended Response** Upgrade phpBB installations immediately to version 3.3.17 or the master branch for 4.x to fully remediate the authentication bypass and OAuth issues. For boards unable to patch promptly, disable OAuth authentication and revert to database authentication, then audit OAuth account bindings for unauthorized entries. Monitor for unusual session creations and unauthorized access to private messages or administrative functions. No specific IOCs have been published; maintain heightened vigilance on forum access logs.

Source articles (2)

  • Critical phpBB Flaw Lets Attackers Hijack Any Account with One Request — Infosecurity-Magazine · 2026-06-09
    A critical flaw in the phpBB forum software has been disclosed that lets attackers hijack any account, including administrators, with a single unauthenticated request and no password. Tracked as PTT-2…
  • Critical phpBB Vulnerability: Auth Bypass + RCE Since 2014 — Aikido.Dev · 2026-06-10
    Aikido's AI pentesting tool Aikido Attack discovered a critical Authentication Bypass vulnerability in the latest version of the forum software phpBB , which can lead to Remote Code Execution, a compl…

Timeline

  • 2026-06-04 — Vulnerability reported to phpBB: Dan Stefan Alexandru disclosed the authentication bypass flaw to phpBB, affecting multiple versions.
  • 2026-06-06 — Patch released for phpBB: phpBB released version 3.3.17 to address the critical vulnerabilities, urging immediate upgrades.
  • 2026-06-10 — Critical vulnerability disclosed: Aikido Attack revealed a critical authentication bypass vulnerability in phpBB, leading to RCE.

Related entities

  • Data Breach (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-352 - Cross-Site Request Forgery (csrf) (Cwe)
  • pentest-tools.com (Domain)
  • Santy (Malware)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Bitly (Platform)
  • PhpBB (Platform)
  • Google (Company)
  • Aikido Attack (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed