# [HIGH] 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums **Source:** Aikido **Published:** 2026-06-10 **Article:** https://www.aikido.dev/blog/phpbb-authentication-bypass-rce ## Threat Profile Blog Vulnerabilities & Threats 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums Written by Jorian Woltjer Published on: Jun 10, 2026 Aikido's AI pentesting tool Aikido Attack discovered a critical Authentication Bypass vulnerability in the latest version of the forum software phpBB , which can lead to Remote Code Execution, a complet… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-29199` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials - **T1592.002** — Gather Victim Host Information: Software - **T1566.002** — Phishing: Spearphishing Link - **T1098** — Account Manipulation - **T1550.001** — Use Alternate Authentication Material: Application Access Token ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### phpBB instance vulnerable to CVE-2026-29199 (3.3.16 and below / 4.0.0-a2) exposed on managed assets `UC_69_2` · phase: **recon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count values(Vulnerabilities.signature) as signature values(Vulnerabilities.severity) as severity values(Vulnerabilities.cve) as cve from datamodel=Vulnerabilities.Vulnerabilities where (Vulnerabilities.cve="CVE-2026-29199" OR Vulnerabilities.signature="*phpBB*") by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | where match(signature,"(?i)phpBB[^0-9]*3\.(3\.([0-9]|1[0-6])|[0-2]\.)") OR match(signature,"(?i)phpBB[^0-9]*4\.0\.0-a[12]") OR cve="CVE-2026-29199" | sort - severity ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where Timestamp > ago(1d) | where CveId == "CVE-2026-29199" or (SoftwareVendor =~ "phpbb" and SoftwareName has "phpbb") | extend VulnerableVersion = case( SoftwareVersion matches regex @"^3\.(3\.(?:[0-9]|1[0-6])(?:[^0-9]|$)|[0-2]\.)", true, SoftwareVersion =~ "4.0.0-a2", true, SoftwareVersion =~ "4.0.0-a1", true, false) | where VulnerableVersion == true or CveId == "CVE-2026-29199" | project Timestamp, DeviceName, DeviceId, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate | sort by VulnerabilitySeverityLevel desc, DeviceName asc ``` ### phpBB password-reset Host header injection (CVE-2026-29199 exploitation) `UC_69_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count values(Web.src) as src_ips dc(Web.src) as src_count values(Web.user_agent) as user_agents latest(Web.http_referrer) as referrer from datamodel=Web.Web where Web.http_method="POST" AND Web.uri_path="*ucp.php*" AND Web.uri_query="*mode=sendpassword*" by Web.dest, Web.http_host, _time span=10m | `drop_dm_object_name(Web)` | eval host_lower=lower(http_host) | lookup phpbb_canonical_hosts_lookup canonical_host AS host_lower OUTPUT is_canonical | where isnull(is_canonical) OR is_canonical!="true" | where host_lower!="" AND NOT match(host_lower,"^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$") | sort - count ``` ### phpBB OAuth account-binding CSRF — anomalous traffic to pre-3.3.17 OAuth callback path `UC_69_4` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count values(Web.src) as src_ips values(Web.user_agent) as uas values(Web.http_referrer) as referrers from datamodel=Web.Web where Web.uri_path="*ucp.php*" AND (Web.uri_query="*oauth_service=*" OR (Web.uri_query="*mode=login_link*" AND Web.uri_query="*login=external*")) by Web.dest, Web.src, _time span=5m | `drop_dm_object_name(Web)` | eval ext_referrer=if(match(http_referrer,"(?i)^https?://") AND NOT match(http_referrer,"(?i)://("+dest+"|forum.example.com|www.example.com)/"),1,0) | where ext_referrer=1 OR http_referrer="-" OR http_referrer="" | stats count, dc(src) as src_count, values(referrers) as referrer_set, values(uas) as ua_set by dest, _time | where count>=1 | sort - _time ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-29199` ## Why this matters Severity classified as **HIGH** based on: CVE present, 5 use case(s) fired, 7 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.