Description
Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface.
Published: 2026-06-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated administrator who logged into the phpBB Administration Control Panel was able to modify access permissions in ways that exceeded the permissions granted to their own account. This flaw in the permission verification logic allowed the attacker to grant themselves higher levels of administrative authority, effectively creating a privilege escalation vector within the web forum’s backend. The weakness aligns with Access Control Category 284, which indicates that access control checks are missing or inadequately implemented.

Affected Systems

All phpBB installations are potentially vulnerable; the vendor’s advisory does not list specific affected versions, so any instance of phpBB that has not yet been patched should be examined for this flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, indicating a high risk for an authenticated user. EPSS data is not available, and the flaw has not been catalogued in CISA’s KEV list. Attackers would need legitimate administrator credentials and access to the ACP, implying a local or web-based attack surface. Once the vulnerability is exploited, the attacker can elevate permissions within the administrative interface, potentially compromising the entire forum configuration and stored data.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpBB to the latest release that includes the fix for the ACP permission verification flaw.
  • If an upgrade cannot be performed immediately, revoke or reduce the "can_modify_permissions" ACL for all administrative roles until a patch is applied.
  • Continuously audit and monitor ACL assignments for administrative accounts to detect and prevent unauthorized permission escalations.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Improper Permission Verification in phpBB ACP

Fri, 12 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Phpbb
Phpbb phpbb
Vendors & Products Phpbb
Phpbb phpbb

Fri, 12 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Phpbb Phpbb
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-12T02:27:43.441Z

Reserved: 2026-05-19T15:00:09.320Z

Link: CVE-2026-47366

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T04:17:05.390

Modified: 2026-06-12T04:17:05.390

Link: CVE-2026-47366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T05:00:17Z

Weaknesses