HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47366Published Modified CNA hackerone

CVE-2026-47366: Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administra

Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface.

Metrics

CVSS v3.0
7.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in phpBB's Administration Control Panel (ACP). An authenticated administrator can manipulate permission assignments to grant rights beyond what their account level authorizes, effectively elevating their own or another account's privileges within the admin interface. Exploitation requires network access and a valid administrator account, and successful abuse gives the attacker full control over confidentiality, integrity, and availability of the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-47366 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle phpBB 3.3.16 or earlier. Any image in a connected registry or CI pipeline carrying an affected phpBB version will surface in scan results automatically.

Available
Triage

Triage capability is available with the CVSS 3.0 score of 7.2 (HIGH) applied to each finding, weighted further by per-environment compliance policy to reflect the actual risk posture of each customer org. Routed findings land in the inbox of the team or individual designated by each customer's policy configuration.

Available
Patch

No fix version has been published for this CVE. HarborGuard re-checks the upstream advisory on every ingest cycle, and a patched-image rebuild will become available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a patch is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The ACP is exposed over the network, so an attacker must be able to reach the phpBB admin interface via a standard HTTP/S connection.

  • AuthenticationRequired

    A valid administrator account is required; any admin-level credential is sufficient, even one with limited delegated privileges.

  • Victim interactionNot required

    No victim action is needed; the attacker operates entirely through their own authenticated session.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

Blast Radius

  • The attacker reads sensitive administrative data, including user account details, private messages, and configuration secrets stored in the phpBB instance.
  • The attacker modifies persisted permission records, user roles, and site configuration, potentially granting arbitrary accounts elevated or full administrative rights.
  • The attacker can disrupt or fully take down the phpBB service by altering core settings or deleting critical data.
  • Any account whose permissions are manipulated carries the escalated rights forward, meaning the impact persists beyond the initial exploit session.

How HarborGuard Handles This

Available on HarborGuard: images containing phpBB at or below version 3.3.16 are flagged automatically upon scan, with the finding scored at 7.2 HIGH and routed per each customer's compliance policy. Because no upstream fix has been published yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version appears. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict ACP access to trusted IP ranges or internal VPN endpoints only, feature-flag or server-level gating of the ACP path for any administrator accounts with delegated (non-super-admin) privileges, and audit-logging of all ACP permission change events to detect unauthorized escalation attempts early.

See how HarborGuard automates this
Affected packages
  • phpBB / phpBB
    ≤ 3.3.16
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References