phpBB, one of the most widely used open-source forum platforms, has patched a critical authentication bypass bug that had been hiding in the software for about ten years. The flaw is severe: an attacker who knows a username can log into that account — including administrator accounts — with a single web request and no password required. Once inside, they can read all private messages, create or delete posts and user accounts, impersonate moderators, or completely deface the site.
The vulnerability works on phpBB’s default configuration, meaning no unusual settings are required to be at risk. Because phpBB forums display their member lists publicly by default, an attacker can easily gather valid usernames to target. Any phpBB forum running a vulnerable version and accessible from the internet is exposed. The good news: a patch is already available and the fix is straightforward — upgrade your forum software.
How to check if you’re affected
Affected versions include phpBB 3.3.16 and all earlier releases in the 3.x branch, as well as phpBB 4.0.0-a2 and all earlier 4.x alpha releases. To check your version, log into your forum’s Administration Control Panel — the phpBB version number is displayed at the bottom of every admin page. If you are on an affected version, update to phpBB 3.3.17 immediately. If your forum uses OAuth (social login) for authentication, you may need to re-enter your OAuth configuration settings after updating.