Aikido's AI pentesting tool Aikido Attack discovered a critical Authentication Bypass vulnerability in the latest version of the forum software phpBB, which can lead to Remote Code Execution, a complete takeover of the underlying system. The vulnerability is exploitable in the default configuration and requires no special knowledge. If you are on version 4.0.0-a2 or 3.3.16 and below, upgrade immediately to master (no safe 4.x release yet) and 3.3.17, respectively, to avoid compromise.
On June 2nd, we reported the find to the phpBB maintainers through their HackerOne Vulnerability Disclosure Program. After a quick triage, it took only 4 days for a working patch to be released in the new version 3.3.17 on June 6th. You can read more details about this update on the official release notes.
There is a small breaking change if your phpBB instance has OAuth authentication enabled, as the redirect URI handler is now located at /user/oauth/authenticate/.... Apart from this change, the upgrade should be a smooth process.
To give administrators time to upgrade, we are holding back on publishing technical details for now, but we will follow up with a second article in the near future.
We've already privately notified administrators of the largest online communities of the update, but ask you to help reach out to any instances you know that might not have gotten the news yet.
About phpBB
phpBB is an old piece of open-source forum software from the year 2000 that’s still being used today. You might recognize some of the communities that phpBB powers, like https://forum.joomla.org or https://forums.debian.net. phpBB's Site Showcase alone has over 6 million members, with many more in unlinked instances.
Due to its popularity and open-source nature, it faced many targeted attacks exploiting 0-days across the internet back in the day. The most notable is the "Santy" worm in 2004, which abused a vulnerability resulting in RCE. It was the first time a search engine like Google was used to instantly find and compromise tens of thousands of instances.
The attack surface is vast, with many features slowly making their way into the codebase over the years. And raw PHP isn't exactly considered the safest framework. Nonetheless, they have a proper Vulnerability Disclosure Program on HackerOne where researchers can get their findings fixed.
Nowadays, it is considered reasonably secure. But we have new evidence that it still contains highly impactful vulnerabilities.
The vulnerability
A single unauthenticated HTTP request is enough to obtain a valid session as any user. On a default phpBB install the member list is public, so picking a target is trivial.
.jpg)
What an attacker can do with that session depends on the account. A standard user exposes private messages and all content they can access. An administrator account gives full read, write and delete access across the forum, and on the latest version, opens the door to Remote Code Execution.
The vulnerability affects all versions up to and including 3.3.16 and 4.0.0-a2.
Timeline
- June 2, 2026 20:22 PM - Submitted report to https://hackerone.com/phpbb VDP program
- June 2, 2026 20:31 PM - Report was triaged by phpBB staff (that's right, 9 minutes!)
- June 6, 2026 16:26 PM - Version 3.3.17 with a patch is released
