{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": "attacker-controlled auth_provider parameter and HTTP Basic Authorization header (PHP_AUTH_USER) for any existing username",
    "claimed_surface": "api_remote",
    "expected_impact": "authz_bypass",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": "ucp.php?mode=login_link with auth_provider=apache and HTTP Basic Authorization header",
    "required_entrypoint_kind": "endpoint",
    "submission_reason": "ticket_derived_llm",
    "trigger_class": "service_api",
    "upstream_verdicts": {
      "claim_extraction": {
        "confidence": "high",
        "model": "accounts/fireworks/models/kimi-k2p7-code",
        "reason": "Ticket describes unauthenticated attacker sending HTTP Basic Authorization header to ucp.php?mode=login_link with attacker-controlled auth_provider=apache to obtain a valid session as arbitrary user, including administrators, without password.",
        "source": "llm"
      }
    }
  },
  "latest_description": "CVE-2026-48611 is a critical authentication bypass in phpBB 3.3.0-3.3.16 (and 4.0.0-a2). The UCP login-link flow (`ucp.php?mode=login_link`) accepts an attacker-controlled `auth_provider` parameter and invokes the chosen provider's `login()` method. By selecting `auth_provider=apache` and sending an HTTP Basic Authorization header for any existing username, an unauthenticated attacker can obtain a valid session as that user, including administrators, without knowing the password. Default `auth_method=db` installations are vulnerable out of the box; OAuth is not required. The root cause is that phpBB's `apache` authentication provider treats `PHP_AUTH_USER` from a Basic Authorization header as trusted and never validates the password before `session_create()` is called. Fixed in phpBB 3.3.17 (released 2026-06-06). Attack goal: unauthenticated remote account hijacking of arbitrary known accounts, leading to full board compromise.",
  "product": "phpbb",
  "severity": "critical",
  "status": "open",
  "summary": "phpBB authentication bypass/account hijacking via OAuth login-link flow with arbitrary auth_provider=apache",
  "ticket_id": "CVE-2026-48611"
}