Critical phpBB Flaw Allows Account Hijacking with Single Request, Affecting All Users
A significant security vulnerability has been identified in the phpBB forum software, allowing attackers to hijack any account, including those of administrators, with a single unauthenticated request. This flaw, tracked as PTT-2026-004, has been rated 9.4 on the CVSS scale and affects all phpBB versions up to 3.3.16, as well as the 4.0.0 alpha version. The vulnerability was discovered by Dan Stefan Alexandru from Pentest-Tools.com and reported to phpBB on June 4. The flaw exploits the default database-authentication mode, making a standard installation vulnerable. An attacker only needs a target's username, which can be easily obtained from the public member list, to execute the attack. Successful exploitation grants the attacker a valid session as the chosen account, allowing access to private messages and any content visible to the victim. However, access to the Administration Control Panel remains restricted, as it requires the admin's password. 
