CVE-2026-48611

CRITICAL

phpBB < 3.3.16 - Improper Authentication

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-48611. PoCs published by citruscitruscitruscitruscitrusci.

AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability in a web application by exploiting improper handling of the 'auth_provider' parameter in the login process. It sends a crafted POST request with Basic Auth headers to bypass authentication.

Description

Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

Exploits (1)

github WORKING POC

by citruscitruscitruscitruscitrusci · javascriptpoc

https://github.com/citruscitruscitruscitruscitrusci/CVE-2026-48611-poc

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass vulnerability in a web application by exploiting improper handling of the 'auth_provider' parameter in the login process. It sends a crafted POST request with Basic Auth headers to bypass authentication.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a PHP-based web application, possibly a forum or CMS)

No auth needed

Prerequisites: Access to the target application's login page · JavaScript execution context (e.g., browser console)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Jun 14, 2026 Full analysis →

References (1)

Core 1

Core References

https://www.phpbb.com/community/viewtopic.php?t=2672170

Scores

CVSS v3 9.8

EPSS 0.0008

EPSS Percentile 22.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-287

Status published

Products (1)

phpBB/phpBB 3.3.0 - 3.3.16

Published Jun 12, 2026

Tracked Since Jun 12, 2026