10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums

June 10, 2026

A massive structural vulnerability has been discovered hiding in plain sight within the phpBB codebase since 2014. This ten-year-old flaw introduces a critical, unauthenticated authentication bypass that leaves tens of millions of users across thousands of global web forums completely exposed to compromise. An attacker can exploit this legacy flaw using a single, tailored HTTP request to gain complete administrative access to the targeted forum database, allowing massive data harvesting, credential theft, and total forum control.Because this issue has been active for a decade, administrators running legacy web instances must immediately apply the latest critical security patches issued by phpBB. A complete security audit of forum user accounts and database backups should be conducted to check for signs of long-term backdoors or unauthorized privilege escalation vectors.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?