Description
XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.
Published: 2026-04-01
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Passkey Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

XenForo before version 2.3.7 has a vulnerability that allows an attacker to bypass Passkey authentication. The weakness is an authentication flaw that can be exploited to assume the identity of any user with a Passkey configured, compromising account integrity and potentially granting full user privileges.

Affected Systems

The vulnerability affects all XenForo releases prior to 2.3.7. Users running any earlier version should upgrade to 2.3.7 or later to eliminate the flaw.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity and the vulnerability is not listed in the KEV catalog. EPSS data is unavailable, but the lack of known exploits does not reduce the risk. The likely attack vector is through the web interface that processes Passkey authentication requests; an attacker can supply forged Passkey data remotely to coerce the system into authenticating them as a legitimate user. This flaw can be exploited without requiring local access or user interaction.

Generated by OpenCVE AI on April 1, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the XenForo 2.3.7 or later update to install the vendor fix
  • Verify that Passkey authentication functions correctly after the upgrade
  • If an upgrade cannot be applied immediately, disable Passkey authentication for affected accounts as a temporary safeguard
  • Continuously monitor XenForo community forums, security advisories, and relevant security mailing lists for updates or new exploit activity

Generated by OpenCVE AI on April 1, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.
Title XenForo Passkey Security Bypass
First Time appeared Xenforo
Xenforo xenforo
Weaknesses CWE-287
CPEs cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*
Vendors & Products Xenforo
Xenforo xenforo
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xenforo Xenforo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T19:00:09.950Z

Reserved: 2026-04-01T00:19:58.851Z

Link: CVE-2025-71279

cve-icon Vulnrichment

Updated: 2026-04-01T18:59:57.219Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T01:16:40.200

Modified: 2026-04-01T18:57:17.270

Link: CVE-2025-71279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:46Z

Weaknesses