# CVE-2026-48611

## Summary

phpBB authentication bypass/account hijacking via OAuth login-link flow with arbitrary auth_provider=apache

## Description

CVE-2026-48611 is a critical authentication bypass in phpBB 3.3.0-3.3.16 (and 4.0.0-a2). The UCP login-link flow (`ucp.php?mode=login_link`) accepts an attacker-controlled `auth_provider` parameter and invokes the chosen provider's `login()` method. By selecting `auth_provider=apache` and sending an HTTP Basic Authorization header for any existing username, an unauthenticated attacker can obtain a valid session as that user, including administrators, without knowing the password. Default `auth_method=db` installations are vulnerable out of the box; OAuth is not required. The root cause is that phpBB's `apache` authentication provider treats `PHP_AUTH_USER` from a Basic Authorization header as trusted and never validates the password before `session_create()` is called. Fixed in phpBB 3.3.17 (released 2026-06-06). Attack goal: unauthenticated remote account hijacking of arbitrary known accounts, leading to full board compromise.

## Metadata

- Product: phpbb
- Severity: critical
- Status: open
