ZeroPath at Black Hat USA 2026

phpBB CVE-2026-48611: Brief Summary of a Critical OAuth Authentication Bypass Enabling Account Hijacking

A brief summary of CVE-2026-48611, a critical OAuth authentication bypass in phpBB that allows account hijacking on default installations even when OAuth is not configured, affecting all versions prior to 3.3.17.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

phpBB CVE-2026-48611: Brief Summary of a Critical OAuth Authentication Bypass Enabling Account Hijacking
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A broken OAuth state verification in phpBB allows any unauthenticated attacker to hijack arbitrary user accounts, including administrators, on completely default installations where OAuth has never been configured. The flaw carries a CVSS 9.8 score and affects every phpBB 3.3.x release prior to 3.3.17, with Aikido Security tracing related authentication weaknesses in the codebase back to approximately 2014.

phpBB is one of the most widely deployed open source forum platforms, powering community forums for millions of users worldwide. The software is maintained by a volunteer development team and distributed freely under the GPL. Its broad adoption across hobbyist communities, enterprise support forums, and educational institutions means this vulnerability has an outsized blast radius relative to the project's profile.

Technical Information

Vulnerability Classification

CVE-2026-48611 falls under CWE-287: Improper Authentication, which describes scenarios where a system "does not prove or insufficiently proves" that an identity claim is correct. This maps to OWASP Top 10:2025 category A07, Authentication Failures.

The CVSS v3.1 base vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, scoring 9.8 (Critical). Breaking this down:

CVSS ComponentValueMeaning
Attack Vector (AV)NetworkExploitable remotely over the internet
Attack Complexity (AC)LowNo specialized conditions required
Privileges Required (PR)NoneNo authentication needed to exploit
User Interaction (UI)NoneNo victim action required
Scope (S)UnchangedImpact confined to the vulnerable component
Confidentiality (C)HighFull information disclosure
Integrity (I)HighComplete system integrity compromise
Availability (A)HighComplete denial of service possible

Every impact dimension is rated High, meaning a successful exploit grants the attacker the full privileges of the hijacked account.

Root Cause: OAuth State Verification Failure

The core flaw resides in phpBB's OAuth implementation, specifically in how it handles the state parameter during the OAuth authentication flow. In a correctly implemented OAuth flow, the state parameter functions as a CSRF protection token. It binds the authorization request to the user session that initiated it, ensuring that the authorization response received by the application genuinely corresponds to a request the current user made.

In phpBB's implementation, this state verification is either missing or insufficient. This allows an attacker to craft an OAuth callback that phpBB accepts without validating its origin. The attacker can effectively bind their own authenticated OAuth identity to a victim's phpBB session.

What makes this particularly dangerous is that the vulnerable OAuth code paths remain active and accessible in the default phpBB installation regardless of whether an administrator has configured any OAuth providers. A standard phpBB install using only database authentication still exposes these endpoints. This means administrators who never enabled Google, Facebook, or any other OAuth provider have no reason to suspect their installation is at risk through OAuth related attack vectors, yet the code paths are fully reachable.

Attack Flow

The vulnerability was discovered by Dan Stefan Alexandru of Pentest-Tools.com, who documented it as PTT-2026-005 alongside a related bypass tracked as PTT-2026-004 (assigned CVE-2026-48612).

Two distinct but complementary attack methods were identified:

PTT-2026-005 (CVE-2026-48611): The attacker exploits the missing state verification to forge an OAuth callback. Because phpBB does not properly validate that the callback originated from a legitimate authorization request tied to the current session, the application accepts the forged response. This allows the attacker to bind their controlled OAuth identity to the victim's phpBB account.

PTT-2026-004 (CVE-2026-48612): A separate authentication bypass that, when chained with PTT-2026-005, enables complete account takeover without requiring the victim's password. The combination of these two flaws means that any logged in user who clicks a malicious link can have their account fully compromised.

The chained exploitation is significant: addressing only one of the two CVEs leaves a residual attack path. Both must be patched simultaneously.

Additional Vulnerabilities in the Same Release

phpBB 3.3.17 addressed four security issues in total:

Security IssueDescriptionScope
CVE-2026-48611OAuth improper authentication / account hijackingAll phpBB 3.3.x prior to 3.3.17, default installations
CVE-2026-48612Authentication bypass (PTT-2026-004)All phpBB 3.3.x prior to 3.3.17
SECURITY-294ACP permission escalationRequires ACP access context
SECURITY-296SQL injection in profile fieldsOnly affects boards updated from pre-3.3.8 that missed the 3.3.11 patch

Post Upgrade Configuration Requirement

After upgrading to 3.3.17, administrators must update the redirect URI in all configured OAuth providers to the new single URI format. The architectural fix refactored the OAuth workflow to use dedicated controllers instead of the previous ucp.php routes. The new redirect URI format is:

https://{board_url}/app.php/user/oauth/authenticate/google

This consolidates two old URIs into a single endpoint. Failure to update OAuth provider redirect URIs after upgrading will break OAuth login functionality.

Affected Systems and Versions

All phpBB 3.3.x versions prior to 3.3.17 are vulnerable. This includes every standard installation regardless of authentication configuration, since the vulnerable OAuth code paths are active even when no OAuth providers have been set up.

Specifically:

  • Vulnerable: phpBB 3.3.0 through 3.3.16 (inclusive), in default configuration
  • Fixed: phpBB 3.3.17 ("Young Bertie"), released June 6, 2026
  • Configuration dependency: None. The vulnerability does not require OAuth to be enabled or configured. Default database authentication installations are exposed.

The BeyondMachines advisory states plainly: "There is no workaround for these flaws. Update your phpBB installation to version 3.3.17."

Disabling OAuth providers in the phpBB admin panel does not eliminate the vulnerability.

Vendor Security History

phpBB has accumulated 67 published CVE records since 2005, with 33 of those having known public exploits. None currently appear in CISA's Known Exploited Vulnerabilities catalog, though this may reflect CISA's catalog scope rather than an absence of real world exploitation of phpBB vulnerabilities.

Aikido Security's research determined that related authentication bypass vulnerabilities have existed in the phpBB codebase since approximately 2014, meaning this class of flaw was dormant for over a decade before discovery. The phpBB team has historically stated they "take security very seriously" and commissioned an external security audit for the phpBB 3.1 release. However, the decade long presence of authentication weaknesses raises questions about the frequency and depth of subsequent security reviews.

On the positive side, the response to CVE-2026-48611 was notably fast. The vulnerability was reported on June 4, 2026 through HackerOne, and phpBB 3.3.17 was released on June 6, 2026: a two day turnaround from report to patch. The release credits multiple researchers including UdinChan, Anteater (giant_anteater), Aikido Security, Dan Stefan Alexandru of Pentest-Tools.com, and Himanshu Anand.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization