Description
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.
Published: 2026-04-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized OAuth2 scope escalation
Action: Patch immediately
AI Analysis

Impact

A flaw in XenForo’s OAuth2 implementation permits client applications to request scopes that have not been authorized by the end user. By exploiting this vulnerability, a malicious client can gain access to privileged resources or functions beyond its intended level, potentially exposing sensitive data or administrative controls.

Affected Systems

All XenForo installations running the 2.3 series prior to version 2.3.5 that employ OAuth2 clients are affected. This includes any deployment that relies on OAuth2 for authentication and authorization, regardless of the specific configuration of the application or server.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity. EPSS data is unavailable, but the vulnerability can be triggered remotely by an attacker who can send OAuth2 scope requests to the target. The absence of a listing in CISA’s KEV catalog indicates no confirmed exploits yet, yet the potential for privilege escalation means the risk remains significant for users running vulnerable versions.

Generated by OpenCVE AI on April 1, 2026 at 05:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading to XenForo 2.3.5 or later

Generated by OpenCVE AI on April 1, 2026 at 05:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.
Title XenForo OAuth2 Unauthorized Scope Request
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-863
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T15:52:08.811Z

Reserved: 2026-04-01T00:19:58.851Z

Link: CVE-2025-71278

cve-icon Vulnrichment

Updated: 2026-04-01T15:19:51.241Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:40.000

Modified: 2026-04-01T18:51:48.267

Link: CVE-2025-71278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:47Z

Weaknesses