Decade-old phpBB auth bypass lets anyone become admin, then run code
A critical flaw in phpBB, the open-source forum software running on thousands of sites, lets an unauthenticated attacker obtain a valid login session as any user, including an administrator, with a single HTTP request. The bug (CVE-2026-48611, rated 9.4) works in the default configuration and traces back to code from 2014. An admin session gives full read, write, and delete access to the forum and, on the latest branch, opens a path to remote code execution and full server takeover. A second, lower-severity flaw affecting only OAuth-configured installs was also fixed. phpBB released version 3.3.17 to patch both.
- Check
- Identify phpBB installations and their versions, prioritizing internet-facing forums, and confirm whether any are running version 3.3.16 or earlier or the 4.0.0-a2 alpha.
- Affected
- phpBB forums version 3.3.16 and earlier and 4.0.0-a2 in the default database authentication mode (CVE-2026-48611); a second flaw (CVE-2026-48612) affects only OAuth-configured installs.
- Fix
- Upgrade to phpBB 3.3.17 immediately; there is no safe 4.x release yet, so 4.x users should move to the patched master branch. No configuration workaround fully closes the bypass.