CVE-2026-29199 - Vulnerability Details

Description

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

Published: 2026-05-04

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

phpBB before version 3.3.16 contains a host header injection flaw that allows attackers to modify the Host header sent to the web application. When the PHP directive force_server_vars is disabled, the application uses the Host header to construct the URL for password reset emails. An attacker who can inject a malicious Host header can cause the reset link to point to a site under their control, enabling phishing of the reset token and subsequent account takeover. This flaw maps to CWE‑640, representing improper source validation for an externally supplied identifier.

Affected Systems

All installations of phpBB version 3.3.x earlier than 3.3.16 are affected. The issue is specific to the phpBB forum software, and no other vendor or product variants are known to be impacted.

Risk and Exploitability

The exploit requires the ability to supply a forged Host header to the vulnerable phpBB instance, typically achievable by hosting a site that forwards requests or by manipulating DNS or server configuration to enable arbitrary Host values. Because password reset requests are often triggered by legitimate users or automated processes, an attacker can lure a user into clicking the poisoned link. The EPSS score indicates a very low but nonzero probability of exploitation (< 1%), and the vulnerability is not listed in CISA’s KEV catalog, but the potential for account compromise is high. The CVSS score is 8.1, indicating high severity, which underlines the need for a prompt patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

phpBB

unaffected

Version	Status	Constraints
`3.0.0`	affected	≤ 3.3.15

No data.

Vendor Product Confidence Versions

Phpbb

100%

Version	Status	Scheme	Platform
`[3.0.0,3.3.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade phpBB to version 3.3.16 or later.
Enable the PHP configuration setting force_server_vars to 1 so that host header values are not used when generating URLs.
Configure the web server to validate the Host header against known, allowed hostnames and reject or block requests with unexpected or malicious values.

Generated by OpenCVE AI on May 4, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://hackerone.com/reports/3543246

History

Mon, 04 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title	Host Header Injection in phpBB Enables Poisoned Password Reset Links

Mon, 04 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 04 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Title		Host Header Injection in phpBB Enables Poisoned Password Reset Links
First Time appeared		Phpbb Phpbb phpbb
Vendors & Products		Phpbb Phpbb phpbb

Mon, 04 May 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
Weaknesses		CWE-640
References		https://hackerone.com/reports/3543246

Subscriptions

Phpbb Phpbb

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-05-04T05:42:15.554Z

Updated: 2026-05-04T19:43:18.257Z

Reserved: 2026-03-04T15:00:09.266Z

Link: CVE-2026-29199

Vulnrichment

Updated: 2026-05-04T19:43:14.615Z

NVD

Status : Received

Published: 2026-05-04T07:15:59.960

Modified: 2026-05-04T20:16:17.493

Link: CVE-2026-29199

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T22:00:11Z

Weaknesses

CWE-640

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object