AI just broke phpBB: one simple request lets anyone log in as admin

The cybersecurity folks at Aikido Security unleashed their automated scanner, Aikido Attack, and stumbled upon a massive hole labeled CVE-2026-48611.

This vulnerability affects virtually every version of phpBB from 3.1.0-a1 up to 3.3.16. That means if a forum hasn't updated since, well, June, it is sitting ducks.

The actual exploit is embarrassingly simple. All an attacker needs to do is send a single HTTP request masquerading as an Apache-authenticated user to the login link. The server happily spits back a session cookie for whatever username was specified, even the main administrator.

With this cookie, a hacker instantly gains the identity of the victim. If they target a regular user, they can read private messages and post embarrassing rants. If they target an administrator, they can ban users, delete posts, and see everyone's IP addresses.

While the admin panel itself requires entering a password again, hackers quickly figured out a beautiful workaround. An attacker registers a dummy account with a password they know, exploits the bug to hijack the head admin's session, uses that session to promote their dummy account to full administrator, and then simply logs in normally through the front door.

The patch is already out in version 3.3.17, which was silently released back in June to give big forums a head start to update before this absolute mess became public.

This is a glorious reminder that the infrastructure of the modern internet is held together by digital duct tape and forum software written when the Motorola Razr was the peak of mobile technology. Good luck to every system administrator spending their weekend patching a database from the Mesozoic era.

Source: Aikido Security