A critical vulnerability in phpBB forum software allows attackers to hijack any account, including administrator accounts, with a single unauthenticated request. Rated 9.4 on the CVSS scale, this flaw affects all phpBB versions up to 3.3.16 and 4.0.0 alpha in default installations. The authentication bypass enables intruders to gain access to a victim's account, viewing private messages and forum content.
Additionally, a second vulnerability linked to OAuth logins permits attackers to execute account takeovers without user interaction. Both flaws were addressed in version 3.3.17, released on June 6, 2026, prompting immediate updates for phpBB administrators.