Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: forum (1 article)Clear

Decade-old phpBB auth bypass lets anyone become admin, then run code

A critical flaw in phpBB, the open-source forum software running on thousands of sites, lets an unauthenticated attacker obtain a valid login session as any user, including an administrator, with a single HTTP request. The bug (CVE-2026-48611, rated 9.4) works in the default configuration and traces back to code from 2014. An admin session gives full read, write, and delete access to the forum and, on the latest branch, opens a path to remote code execution and full server takeover. A second, lower-severity flaw affecting only OAuth-configured installs was also fixed. phpBB released version 3.3.17 to patch both.

Check
Identify phpBB installations and their versions, prioritizing internet-facing forums, and confirm whether any are running version 3.3.16 or earlier or the 4.0.0-a2 alpha.
Affected
phpBB forums version 3.3.16 and earlier and 4.0.0-a2 in the default database authentication mode (CVE-2026-48611); a second flaw (CVE-2026-48612) affects only OAuth-configured installs.
Fix
Upgrade to phpBB 3.3.17 immediately; there is no safe 4.x release yet, so 4.x users should move to the patched master branch. No configuration workaround fully closes the bypass.