Critical phpBB OAuth flaw lets hackers hijack any account

A critical vulnerability (CVE-2026-48611) in phpBB allows unauthenticated attackers to log in as any user, including administrators, compromising numerous online communities. The flaw exists in phpBB's OAuth implementation, requiring only the target's username for exploitation, which can happen even if OAuth is not enabled. This issue, carrying a CVSS score of 9.8, affects all phpBB versions up to 3.3.16 and was patched in version 3.3.17 released on June 6, 2026. Administrators are urged to update immediately or apply temporary mitigations if unable to patch.