A significant security flaw has been uncovered in the widely used **phpBB** forum software, potentially exposing thousands of online communities to unauthorized access. The authentication bypass vulnerability, which has existed in the codebase for ten years, enables an attacker to assume the identity of any user, including forum administrators. ### The Vulnerability: A Decade in the Making The flaw, which currently lacks a **CVE** identifier, is remarkably simple to exploit. **Aikido** researchers, who identified the vulnerability on June 2nd, confirmed that a single HTTP request is sufficient to trigger the bypass. This ease of exploitation, coupled with its long-standing presence, makes it a high-priority concern for forum administrators. ### Impacted Versions and Remediation The vulnerability affects **phpBB** versions 4.0.0-a2 and 3.3.16 and below. Following **Aikido**'s report through **phpBB**'s HackerOne Vulnerability Disclosure Program, the developers swiftly released a patch on June 6th in **phpBB** version 3.3.17. While a fix is available for the 3.x branch, a stable release for the 4.x branch is still pending, urging affected users to upgrade to the master branch for now. ### Exploitation Potential and Risks Exploiting this flaw requires no specialized configuration, as it is triggerable on default **phpBB** settings. Gaining administrator access could grant attackers the ability to: * View all private messages. * Create, modify, or delete content and user accounts. * Impersonate staff members. * Deface forum sites. While the vulnerability doesn't allow for remote code execution (RCE) due to a separate password check protecting the Admin Control Panel, the potential for widespread disruption and data exposure remains high. **Aikido** researchers have deliberately withheld technical details to provide administrators with a critical window to apply patches and have even directly contacted large **phpBB**-based forums. ### Important Considerations for Administrators Administrators implementing the update should be aware that forums utilizing OAuth authentication might experience temporary disruptions. This is due to the OAuth redirect handler moving to a new location, a fix that should be straightforward in most cases. **Aikido** has indicated that full technical details will be released in a future report, though a specific timeline has not been provided. Given the simplicity of exploitation and the widespread use of **phpBB**, immediate action is crucial for all affected forum operators to safeguard their communities and user data.