Description
Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover.
Published: 2026-06-12
Score: 8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the OAuth implementation of phpBB that allows an attacker to manipulate the authentication flow so that a victim’s account is linked to an attacker‑controlled account. This misuse of the state parameter can enable the attacker to subsequently take over or hijack the victim’s account.

Affected Systems

The flaw affects phpBB community software; specific affected versions were not disclosed in the advisory, so all current releases until a fixed version becomes available are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8 indicates high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of an EPSS score does not guarantee low exploitation risk. The weakness is inferred to be exploitable via a CSRF attack vector that targets the OAuth login flow, which is a well‑known attack pattern for state verification failures.

Generated by OpenCVE AI on June 12, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a patch is available, upgrade phpBB to the latest release immediately.
  • Validate the OAuth state value on the server side and reject any authentication request that does not include a matching state token.
  • Disable or remove any third‑party OAuth plugins or extensions that are not needed for your deployment.
  • Consider deploying a web application firewall rule set that detects repeated state‑parameter manipulations or unusual OAuth redirect patterns.

Generated by OpenCVE AI on June 12, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpbb
Phpbb phpbb
Vendors & Products Phpbb
Phpbb phpbb

Fri, 12 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Improper OAuth State Verification Allows Account Takeover

Fri, 12 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover.
Weaknesses CWE-352
References
Metrics cvssV3_0

{'score': 8, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Phpbb Phpbb
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-12T02:27:43.506Z

Reserved: 2026-05-22T15:00:09.276Z

Link: CVE-2026-48612

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T04:17:10.123

Modified: 2026-06-12T04:17:10.123

Link: CVE-2026-48612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T04:45:05Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)