DEV Community

Cover image for Critical phpBB Authentication Bypass Allows Instant Account Takeover
BeyondMachines for BeyondMachines

Posted on • Originally published at beyondmachines.net

Critical phpBB Authentication Bypass Allows Instant Account Takeover

Summary

phpBB version 3.3.17 patches a critical authentication bypass (CVE-2026-48611) that allows unauthenticated attackers to take over any account, including administrators, by manipulating the auth_provider parameter.

Take Action:

If you run a phpBB forum (versions 3.1.0 through 3.3.16, or 4.0.0-a2), this is important and urgent. Update to version 3.3.17 immediately. If you can't patch right away, delete the apache.php and ldap.php files from the phpbb/auth/provider/ directory, and check your server logs for suspicious auth_provider=apache and mode=login_link requests. If found, reset all user sessions and assume those accounts are compromised.


Read the full article on BeyondMachines


This article was originally published on BeyondMachines

Top comments (0)