phpBB decade-old – A decade-old authentication bypass in phpBB lets attackers log in as any user, including administrators. Discovered on June 2 and reported via HackerOne, the issue was fixed on June 6 in phpBB 3.3.17—while 4.x still has no safe update. Security teams are urged
For years, a phpBB forum could be taken over with a single move: one HTTP request.
A 10-year-old authentication bypass vulnerability discovered in phpBB’s forum software allows an attacker to log in as any user—including administrators. The flaw has no identifier, is described as trivial to exploit, and affects phpBB versions 4.0.0-a2 or 3.3.16 and below.
What makes the discovery especially urgent is that it doesn’t require special effort. Application security company Aikido found the bug on June 2 and reported it through the developer’s HackerOne Vulnerability Disclosure Program. phpBB responded quickly, addressing the problem on June 6 in version 3.3.17.
Still, the timeline leaves a clear gap for people running older installations. Aikido says the bug was introduced into phpBB’s codebase 10 years ago and impacts all versions across the 3.x and 4.x release branches up to 3.3.16 and 4.0.0-a2. For the 4.x release, there’s no fix available yet.
Once an attacker gains that kind of access, the consequences aren’t subtle. Administrator access could allow attackers to view all private messages stored on the forum, create, modify, or delete content and user accounts, impersonate staff, or deface sites.
Even the starting point for choosing targets is low-friction. Aikido notes that picking targets is straightforward because the member list on phpBB forums is public by default.
Aikido also stresses that the vulnerability is exploitable in the default configuration and requires no special knowledge. In the company’s report. it adds: “If you are on version 4.0.0-a2 or 3.3.16 and below. upgrade immediately to master (no safe 4.x release yet) and 3.3.17. respectively. to avoid compromise.”.
There is one boundary that Aikido points out: remote code execution is not possible because a separate password check protects the Admin Control Panel.
That doesn’t make it harmless. If attackers can log in as administrators. they can still move through the platform with the same authority as the people meant to run it—reading private messages. reshaping content. creating and deleting accounts. and wearing the site’s identity as their own. And since forum administrators are often managing large communities. the operational damage can be immediate even without any need for advanced technical exploitation.
phpBB is a PHP-based free and open-source web forum platform that enjoyed peak popularity in the 2000s and early 2010s. Today, it still powers thousands of forums worldwide—meaning the patch urgency extends far beyond a handful of niche sites.
Aikido says it withheld all technical details for now to give forum administrators enough time to apply the updates. The company also contacted administrators of large phpBB-based forums directly.
There’s one practical snag administrators should watch for after updating. Aikido warns that the update may cause forums using OAuth authentication to break, because the OAuth redirect handler has moved to a new location. The company says this should be a simple fix in most cases.
Aikido promised to publish the full details of the flaw in a future report. but did not provide a specific timeline. For now. the message is blunt and time-sensitive: if a forum is on phpBB 4.0.0-a2 or 3.3.16 and below. the guidance is to upgrade immediately—because the bug’s age doesn’t reduce its danger. it only explains how long it may have been waiting.
phpBB authentication bypass cybersecurity HackerOne Aikido web forum security admin takeover OAuth redirect handler private messages