Description
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
Published: 2026-06-12
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper authentication checks in the OAuth implementation of phpBB, enabling attackers to hijack accounts even when OAuth is not configured or enabled. The flaw permits unauthorized access in default installations, potentially allowing attackers to impersonate users, access sensitive data, and possibly elevate privileges. The likely attack vector is remote exploitation through standard HTTP requests, though the CVE description does not explicitly state network requirements. The flaw is a typical instance of authentication bypass (CWE-287).

Affected Systems

Affected systems include PHP based forums running phpBB with the default installation set‑up. No specific product version is listed, so any installation using the default authentication configuration is potentially vulnerable.

Risk and Exploitability

The severity score of 9.8 indicates a critical risk. The exploit probability metric is not available, but the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, an attacker can exploit the flaw remotely, without prior authentication, and with no prerequisites. The lack of a patch or workaround in the data suggests that only a future update or manual disabling of OAuth could mitigate the risk.

Generated by OpenCVE AI on June 12, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update phpBB to the latest version that addresses this authentication flaw.
  • Disable or remove OAuth functionality in phpBB configuration if not required.
  • Review authentication settings and restrict account access; monitor logs for suspicious login activity.
  • Check for any custom modules that inject OAuth and remove or secure them.

Generated by OpenCVE AI on June 12, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpbb
Phpbb phpbb
Vendors & Products Phpbb
Phpbb phpbb

Fri, 12 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Improper Authentication in phpBB OAuth Enables Account Hijacking

Fri, 12 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
Weaknesses CWE-287
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Phpbb Phpbb
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-12T02:27:43.351Z

Reserved: 2026-05-22T15:00:09.276Z

Link: CVE-2026-48611

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T04:17:08.180

Modified: 2026-06-12T04:17:08.180

Link: CVE-2026-48611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T04:45:05Z

Weaknesses