diff --git a/phpBB/includes/ucp/ucp_login_link.php b/phpBB/includes/ucp/ucp_login_link.php
--- a/phpBB/includes/ucp/ucp_login_link.php
+++ b/phpBB/includes/ucp/ucp_login_link.php
@@ -56,10 +56,13 @@
 			$login_link_error = $user->lang['LOGIN_LINK_NO_DATA_PROVIDED'];
 		}
 
-		// Use the auth_provider requested even if different from configured
+		// Always use the board-configured auth provider for login linking.
+		// Never allow the auth_provider request parameter to steer provider
+		// selection, as that enables an attacker to invoke a password-less
+		// provider (e.g. apache) and bypass authentication (CVE-2026-48611).
 		/* @var $provider_collection \phpbb\auth\provider_collection */
 		$provider_collection = $phpbb_container->get('auth.provider_collection');
-		$auth_provider = $provider_collection->get_provider($request->variable('auth_provider', ''));
+		$auth_provider = $provider_collection->get_provider();
 
 		// Set the link_method to login_link
 		$data['link_method'] = 'login_link';
diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php
--- a/phpBB/includes/ucp/ucp_register.php
+++ b/phpBB/includes/ucp/ucp_register.php
@@ -117,7 +117,9 @@
 			// Confirm that we have all necessary data
 			/* @var $provider_collection \phpbb\auth\provider_collection */
 			$provider_collection = $phpbb_container->get('auth.provider_collection');
-			$auth_provider = $provider_collection->get_provider($request->variable('auth_provider', ''));
+			// Use the board-configured auth provider; never let the auth_provider
+			// request parameter steer provider selection (CVE-2026-48611).
+			$auth_provider = $provider_collection->get_provider();
 
 			$result = $auth_provider->login_link_has_necessary_data($login_link_data);
 			if ($result !== null)
