Thousands of phpBB Forums Exposed by Critical Authentication Bypass

A critical phpBB authentication bypass is putting countless online communities at risk right now. The flaw, tracked as CVE-2026-48611, lets an unauthenticated attacker log in as any user, including administrators. Because default installations are vulnerable out of the box, thousands of forums are affected.

A single request hijacks any account

The bug lives in phpBB’s OAuth implementation. Specifically, two improper checks let an attacker forge a valid session. Most worryingly, the attack works even when OAuth is never configured or enabled.

As a result, an attacker only needs a target’s username. On most boards the member list is public, so picking a victim is trivial. Then a single crafted request hands back a working session for that account.

The issue carries a CVSS score of 9.8, which places it among the most severe web flaws of the year. Researchers at Aikido Security discovered it. Meanwhile, Dan Stefan Alexandru of Pentest-Tools.com and Himanshu Anand reported related findings to the phpBB team.

Every board up to 3.3.16 is at risk

This phpBB authentication bypass affects every release up to and including 3.3.16. In other words, more than a decade of phpBB boards are exposed. The 4.0.0 alpha branch is vulnerable too.

The phpBB team shipped the fix in version 3.3.17 “Young Bertie” on June 6, 2026. You can read the full phpBB 3.3.17 release announcement for the complete list of patches.

What admins should do now

Update immediately. Upgrading to 3.3.17 is the only complete fix, so do not delay.

If you cannot patch yet, apply the official mitigations. For boards that do not use Apache or LDAP authentication, the developers describe a temporary workaround to prevent the authentication bypass. Additionally, disable OAuth in the ACP until you finish the upgrade.

The same release also fixes three other flaws. These include an ACP permission escalation and a potential SQL injection in a profile field migration. Neither matches the severity of the account takeover bug, however.

Attackers are already probing exposed boards. Therefore, treat this update as an emergency rather than routine maintenance.