How is CVE-2026-48611 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the phpBB service via HTTP/HTTPS from any remote origin. Authentication (not-required): No credentials of any kind are needed; the flaw bypasses authentication entirely, making it exploitable by any unauthenticated party. Victim interaction (not-required): The attacker does not need to trick or involve any user; exploitation is fully self-contained and requires no social engineering. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special pre-conditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-48611?

An attacker reads private messages, email addresses, stored session tokens, and any other user data held in the phpBB database. An attacker modifies or deletes forum posts, user profiles, and administrator settings, permanently altering persisted content. An attacker hijacks arbitrary user accounts, including administrator accounts, gaining full control over the forum and its configuration. An attacker can crash or destabilize the phpBB service, denying access to legitimate users.

Back to search

CRITICALCVE-2026-48611Published 2026-06-12Modified 2026-06-12CNA hackerone

CVE-2026-48611: Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations

Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

CVSS v3.0: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in phpBB's OAuth implementation allows a remote, unauthenticated attacker to hijack user accounts even on installations where OAuth is not configured or enabled. The flaw is reachable over the network with no credentials required and no user interaction needed. Successful exploitation gives an attacker full read, write, and availability control over the affected phpBB instance. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in both connected registries and CI/CD pipelines. Coverage extends to custom-built images that include phpBB at or below version 3.3.16.

Available

Triage

Triage is available with a CVSS score of 9.8 (Critical), and HarborGuard applies per-environment compliance policy weighting to prioritize routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the phpBB service via HTTP/HTTPS from any remote origin.
AuthenticationNot required
No credentials of any kind are needed; the flaw bypasses authentication entirely, making it exploitable by any unauthenticated party.
Victim interactionNot required
The attacker does not need to trick or involve any user; exploitation is fully self-contained and requires no social engineering.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special pre-conditions such as race conditions or specific memory layout requirements.

Blast Radius

An attacker reads private messages, email addresses, stored session tokens, and any other user data held in the phpBB database.
An attacker modifies or deletes forum posts, user profiles, and administrator settings, permanently altering persisted content.
An attacker hijacks arbitrary user accounts, including administrator accounts, gaining full control over the forum and its configuration.
An attacker can crash or destabilize the phpBB service, denying access to legitimate users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published as of the CVE record date, the remediation pipeline is in monitoring mode. HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment phpBB releases a corrected version; for customers with auto-remediation enabled, this triggers a regression test run and a PR opened against affected workloads without manual steps. In the interim, compensating controls are worth considering: network-policy rules that restrict inbound access to phpBB containers to trusted source ranges, egress filtering to limit what the phpBB process can reach if compromised, and disabling any public-facing registration or OAuth-adjacent endpoints via feature flags or web-server access controls where operationally feasible. The CVSS score of 9.8 (Critical) qualifies this CVE for expedited review queues in environments where compliance policy prioritizes critical unauthenticated network vulnerabilities.

See how HarborGuard automates this

Affected packages

phpBB / phpBB
≤ 3.3.16

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

phpbb.com

Metrics

Get notified