Researchers discovered an authentication bypass vulnerability in phpBB forum software that has existed for 10 years. The vulnerability allows an attacker to authenticate as any user, including administrators, using a trivial single HTTP request. It impacts all 3.x versions up to 3.3.16 and the early 4.x alpha release 4.0.0-a2. The issue was reported via phpBB's HackerOne program and patched promptly in version 3.3.17 for the 3.x branch. No official fix is yet available for the 4.x branch. Exploitation requires no special configuration and can be performed on default installations. While administrator access can lead to full forum control and data exposure, remote code execution is prevented by separate password checks on the admin control panel. The researchers withheld technical details temporarily to allow administrators time to patch. The update may affect OAuth authentication due to changes in redirect handling.

Successful exploitation allows attackers to bypass authentication and log in as any user, including administrators. This can lead to unauthorized access to private messages, creation, modification, or deletion of content and user accounts, impersonation of staff members, and defacement of forums. The vulnerability does not enable remote code execution due to additional password checks protecting the admin control panel. The flaw affects default configurations and thus poses a significant risk to phpBB forums running vulnerable versions.

A fix is available in phpBB version 3.3.17 for the 3.x branch. Administrators should upgrade immediately if running version 3.3.16 or below. For the 4.x branch (including 4.0.0-a2), no official fix is currently available; monitor phpBB advisories for updates. Forum administrators should apply the patch promptly to prevent compromise. Note that the update may require adjustments to OAuth authentication configurations due to changes in the OAuth redirect handler location.