phpBB authentication bypass: introducing PTT-2026-004 and PTT-2026-005
Our security research team discovered two vulnerabilities in phpBB that let an attacker impersonate or hijack any user account, including admins, without knowing the password.
PTT-2026-004 requires a single unauthenticated HTTP request and works on default phpBB installations. PTT-2026-005 requires phpBB to have OAuth configured and the victim to be logged in when they access the attacker-supplied link.
PTT-2026-004 - authentication bypass in phpBB
CVE: Pending CVE ID
PTT ID: PTT-2026-004
CVSS v3.1: 9.4 Critical AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-305: Authentication Bypass by Primary Weakness
Affected versions: phpBB <= 3.3.16 and 4.0.0-a2 (default configuration, auth_method=db)
Fixed in: phpBB 3.3.17 - June 6, 2026
Discovered by: Dan Stefan Alexandru, Pentest-Tools.com security research team
Reported to vendor: June 4, 2026
Public disclosure: June 8, 2026
What is PTT-2026-004?
PTT-2026-004 is an authentication bypass in phpBB that lets an attacker get a valid session as any active user, including administrators, with a single unauthenticated HTTP request.
No password, no prior access, and no user interaction required.
The vulnerability was discovered by Dan Stefan Alexandru of the Pentest-Tools.com security research team and reported to phpBB on June 4, 2026.
The fix shipped in phpBB 3.3.17 on June 6, 2026.
Affected software by PTT-2026-004
All phpBB versions prior to 3.3.17 running with auth_method=db (the default) are affected.
Every default phpBB installation is exposed. phpBB 4.0.0-a2 is also affected.
Business impact of PTT-2026-004
A successful attack gives the attacker a valid phpBB session as any active user.
For regular accounts, this means access to private messages and any content visible to that user. For administrator accounts, it means full read, write and delete access to the entire forum: posts, private boards, view user data, etc.
The only mitigation built into phpBB that limits further escalation is the Administration Control Panel (ACP), which requires a separate re-authentication step using the account password. This means the attacker cannot directly access ACP functionality without knowing the admin's password - but full forum-level access, including all private content, is unrestricted.
Exploitation requires only a known username. On default phpBB installations, the member list is publicly accessible, so an attacker can enumerate targets without any prior access.
Affected deployments include:
→ Any public phpBB forum running a version prior to 3.3.17 - the member list is visible by default, making username enumeration trivial.
→ Internal phpBB installations (company wikis, support boards) where the member list may be restricted - an attacker with internal network access or a known username can still exploit this.
→ phpBB 4.0.0-a2 alpha installations.
Detection and scanning for PTT-2026-004
You can detect vulnerable phpBB installations using the Network Scanner on Pentest-Tools.com. Detection is available on all paid plans. Here’s a sample finding for an exposed target you can include in your vulnerability assessment report or penetration report:
Mitigation for PTT-2026-004
Patch. Upgrade to phpBB 3.3.17 or later. This is the only complete fix. There is no configuration workaround that fully closes this attack path on versions prior to 3.3.17.
After patching. Re-scan affected assets to confirm the fix is in place and no vulnerable instances remain.
Discovery and disclosure timeline for PTT-2026-004
May 13, 2026: Vulnerability discovered by Dan Stefan Alexandru, Pentest-Tools.com security research team
June 4, 2026: Reported to phpBB security team by Dan Stefan Alexandru
June 6, 2026: phpBB 3.3.17 released
June 8, 2026: Public disclosure - this page published
References for PTT-2026-004
PTT-2026-005 - OAuth auth-link CSRF leading to account takeover
CVE: Pending CVE ID
PTT ID: PTT-2026-005
CVSS v3.1: 8.3 High AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
CWE: CWE-352 — Cross-Site Request Forgery + missing OAuth state validation
Affected versions: phpBB < 3.3.17 (OAuth must be configured — not default)
Fixed in: phpBB 3.3.17 — June 6, 2026
Discovered by: Dan Stefan Alexandru, Pentest-Tools.com security research team
Reported to vendor: June 4, 2026
Public disclosure: June 8, 2026
What is PTT-2026-005?
PTT-2026-005 is a chained vulnerability in phpBB's OAuth implementation that lets an attacker take over the account of any logged-in user who opens a single attacker-supplied URL.
Affected software by PTT-2026-005
All phpBB versions prior to 3.3.17 where $config['auth_method'] is set to 'oauth' and at least one OAuth 2.0 provider (Google, Facebook, or Bitly) is configured with valid client credentials. Twitter (OAuth 1.0a) is not affected.
Default phpBB installations use auth_method = 'db' and are not exposed to PTT-2026-005. This vulnerability only affects boards where an administrator has explicitly enabled OAuth authentication.
Business impact of PTT-2026-005
A successful attack gives the attacker a permanent OAuth login credential for the victim's phpBB account. The binding persists in phpbb_oauth_accounts until an administrator removes it or the victim notices and revokes it.
For regular user accounts, the attacker gains access to private messages, any content visible to that user, and the ability to post or take moderation actions under the victim's identity. For administrator accounts, this extends to full forum management - user data, private boards, configuration, and the ability to moderate or delete any content.
phpBB's Administration Control Panel requires password re-authentication and does not offer OAuth login, so ACP-level functions are not reachable via this chain. Password and email changes also require the current password.
The attack can be delivered without any user clicking - by embedding the malicious URL inside an <img src="..."> tag in a forum post or private message. A victim's browser loads the image, making the GET request while the victim is authenticated, and the account link is created silently.
Affected deployments include any phpBB board where an administrator has enabled OAuth authentication with Google, Facebook, or Bitly as the provider.
Mitigation for PTT-2026-005
Patch. Upgrade to phpBB 3.3.17 or later.
If you cannot patch immediately and your board has OAuth enabled, disable OAuth authentication in the administration panel (ACP > General > Authentication) and switch to auth_method=db until the upgrade is complete. This removes the attack surface entirely.
After patching. Audit phpbb_oauth_accounts for unexpected entries - rows where the oauth_provider_id does not match an account the user intentionally linked. Remove any suspicious entries.
Discovery and disclosure timeline for PTT-2026-005
May 13, 2026: Vulnerability discovered by Dan Stefan Alexandru, Pentest-Tools.com security research team
June 4, 2026: Reported to phpBB security team by Dan Stefan Alexandru
June 6, 2026: phpBB 3.3.17 released
June 8, 2026: Public disclosure - this page published
References for PTT-2026-005
→ phpBB 3.3.17 release announcement
→ CWE-352 — Cross-Site Request Forgery
→ CVE-2026-29199 on NVD (related, not PTT research)
→ GitHub Advisory GHSA-7gm6-w7mx-58cr (related)
Related vulnerability (not PTT research): CVE-2026-29199
CVE-2026-29199 (host header injection via password reset, CVSS 8.1 HIGH) was fixed in phpBB 3.3.16 and is not PTT research. It was credited to SEONG HUN JEONG (HunSec). It is listed here to avoid confusion, as phpBB's 3.3.16 and 3.3.17 releases happened in close succession. View CVE-2026-29199 on NVD.