Introduction
A broken OAuth state verification in phpBB allows any unauthenticated attacker to hijack arbitrary user accounts, including administrators, on completely default installations where OAuth has never been configured. The flaw carries a CVSS 9.8 score and affects every phpBB 3.3.x release prior to 3.3.17, with Aikido Security tracing related authentication weaknesses in the codebase back to approximately 2014.
phpBB is one of the most widely deployed open source forum platforms, powering community forums for millions of users worldwide. The software is maintained by a volunteer development team and distributed freely under the GPL. Its broad adoption across hobbyist communities, enterprise support forums, and educational institutions means this vulnerability has an outsized blast radius relative to the project's profile.
Technical Information
Vulnerability Classification
CVE-2026-48611 falls under CWE-287: Improper Authentication, which describes scenarios where a system "does not prove or insufficiently proves" that an identity claim is correct. This maps to OWASP Top 10:2025 category A07, Authentication Failures.
The CVSS v3.1 base vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, scoring 9.8 (Critical). Breaking this down:
| CVSS Component | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the internet |
| Attack Complexity (AC) | Low | No specialized conditions required |
| Privileges Required (PR) | None | No authentication needed to exploit |
| User Interaction (UI) | None | No victim action required |
| Scope (S) | Unchanged | Impact confined to the vulnerable component |
| Confidentiality (C) | High | Full information disclosure |
| Integrity (I) | High | Complete system integrity compromise |
| Availability (A) | High | Complete denial of service possible |
Every impact dimension is rated High, meaning a successful exploit grants the attacker the full privileges of the hijacked account.
Root Cause: OAuth State Verification Failure
The core flaw resides in phpBB's OAuth implementation, specifically in how it handles the state parameter during the OAuth authentication flow. In a correctly implemented OAuth flow, the state parameter functions as a CSRF protection token. It binds the authorization request to the user session that initiated it, ensuring that the authorization response received by the application genuinely corresponds to a request the current user made.
In phpBB's implementation, this state verification is either missing or insufficient. This allows an attacker to craft an OAuth callback that phpBB accepts without validating its origin. The attacker can effectively bind their own authenticated OAuth identity to a victim's phpBB session.
What makes this particularly dangerous is that the vulnerable OAuth code paths remain active and accessible in the default phpBB installation regardless of whether an administrator has configured any OAuth providers. A standard phpBB install using only database authentication still exposes these endpoints. This means administrators who never enabled Google, Facebook, or any other OAuth provider have no reason to suspect their installation is at risk through OAuth related attack vectors, yet the code paths are fully reachable.
Attack Flow
The vulnerability was discovered by Dan Stefan Alexandru of Pentest-Tools.com, who documented it as PTT-2026-005 alongside a related bypass tracked as PTT-2026-004 (assigned CVE-2026-48612).
Two distinct but complementary attack methods were identified:
PTT-2026-005 (CVE-2026-48611): The attacker exploits the missing state verification to forge an OAuth callback. Because phpBB does not properly validate that the callback originated from a legitimate authorization request tied to the current session, the application accepts the forged response. This allows the attacker to bind their controlled OAuth identity to the victim's phpBB account.
PTT-2026-004 (CVE-2026-48612): A separate authentication bypass that, when chained with PTT-2026-005, enables complete account takeover without requiring the victim's password. The combination of these two flaws means that any logged in user who clicks a malicious link can have their account fully compromised.
The chained exploitation is significant: addressing only one of the two CVEs leaves a residual attack path. Both must be patched simultaneously.
Additional Vulnerabilities in the Same Release
phpBB 3.3.17 addressed four security issues in total:
| Security Issue | Description | Scope |
|---|---|---|
| CVE-2026-48611 | OAuth improper authentication / account hijacking | All phpBB 3.3.x prior to 3.3.17, default installations |
| CVE-2026-48612 | Authentication bypass (PTT-2026-004) | All phpBB 3.3.x prior to 3.3.17 |
| SECURITY-294 | ACP permission escalation | Requires ACP access context |
| SECURITY-296 | SQL injection in profile fields | Only affects boards updated from pre-3.3.8 that missed the 3.3.11 patch |
Post Upgrade Configuration Requirement
After upgrading to 3.3.17, administrators must update the redirect URI in all configured OAuth providers to the new single URI format. The architectural fix refactored the OAuth workflow to use dedicated controllers instead of the previous ucp.php routes. The new redirect URI format is:
https://{board_url}/app.php/user/oauth/authenticate/google
This consolidates two old URIs into a single endpoint. Failure to update OAuth provider redirect URIs after upgrading will break OAuth login functionality.
Affected Systems and Versions
All phpBB 3.3.x versions prior to 3.3.17 are vulnerable. This includes every standard installation regardless of authentication configuration, since the vulnerable OAuth code paths are active even when no OAuth providers have been set up.
Specifically:
- Vulnerable: phpBB 3.3.0 through 3.3.16 (inclusive), in default configuration
- Fixed: phpBB 3.3.17 ("Young Bertie"), released June 6, 2026
- Configuration dependency: None. The vulnerability does not require OAuth to be enabled or configured. Default database authentication installations are exposed.
The BeyondMachines advisory states plainly: "There is no workaround for these flaws. Update your phpBB installation to version 3.3.17."
Disabling OAuth providers in the phpBB admin panel does not eliminate the vulnerability.
Vendor Security History
phpBB has accumulated 67 published CVE records since 2005, with 33 of those having known public exploits. None currently appear in CISA's Known Exploited Vulnerabilities catalog, though this may reflect CISA's catalog scope rather than an absence of real world exploitation of phpBB vulnerabilities.
Aikido Security's research determined that related authentication bypass vulnerabilities have existed in the phpBB codebase since approximately 2014, meaning this class of flaw was dormant for over a decade before discovery. The phpBB team has historically stated they "take security very seriously" and commissioned an external security audit for the phpBB 3.1 release. However, the decade long presence of authentication weaknesses raises questions about the frequency and depth of subsequent security reviews.
On the positive side, the response to CVE-2026-48611 was notably fast. The vulnerability was reported on June 4, 2026 through HackerOne, and phpBB 3.3.17 was released on June 6, 2026: a two day turnaround from report to patch. The release credits multiple researchers including UdinChan, Anteater (giant_anteater), Aikido Security, Dan Stefan Alexandru of Pentest-Tools.com, and Himanshu Anand.
References
- phpBB 3.3.17 Release Announcement
- CVE-2026-48611 on TheHackerWire
- CVE-2026-48611 on dbugs (Positive Technologies)
- Infosecurity Magazine: Critical phpBB Flaw Lets Attackers Hijack Any Account
- Pentest-Tools.com: phpBB Authentication Bypass Research
- Aikido Security: Critical phpBB Vulnerability Auth Bypass Since 2014
- BeyondMachines: Critical phpBB Vulnerabilities Allow Unauthenticated Account Takeover
- CWE-287: Improper Authentication
- OWASP Top 10:2025 A07 Authentication Failures
- phpBB Vulnerabilities Overview on RadicalNotion.AI
- Proofpoint: 2026 Vulnerability Exploitation in the Wild
- Pentest-Tools.com: phpBB Authentication Bypass Exploit Entry



