CVE-2025-71278
Received Received - Intake
OAuth2 Scope Authorization Bypass in XenForo Before

Publication date: 2026-04-01

Last updated on: 2026-04-01

Assigner: VulnCheck

Description
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71278
EUVD
EUVD-2025-209150
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xenforo xenforo From 2.3.0 (inc) to 2.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow OAuth2 client applications to escalate their privileges or access data and functions beyond what they are authorized to use.

As a result, attackers or malicious clients could gain unauthorized access to sensitive information or perform actions that should be restricted, potentially compromising the confidentiality, integrity, and availability of the affected system.

Executive Summary

CVE-2025-71278 is a vulnerability in XenForo versions prior to 2.3.5 that affects the OAuth2 implementation. Specifically, it allows OAuth2 client applications to request and obtain unauthorized scopes, meaning these clients can gain access beyond their intended authorization level.

This flaw is classified as an incorrect authorization issue (CWE-863) and can lead to privilege escalation or unauthorized access by OAuth2 clients.

Compliance Impact

The vulnerability in XenForo before version 2.3.5 allows OAuth2 client applications to request unauthorized scopes, potentially granting access beyond intended authorization levels. This unauthorized access could lead to exposure or misuse of sensitive data.

Such unauthorized access risks may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict control over access to personal and sensitive information to protect confidentiality and integrity.

Therefore, organizations using affected XenForo versions with OAuth2 clients may face compliance challenges if this vulnerability is exploited, as it could result in unauthorized data access or breaches.

Applying the security fix in XenForo 2.3.5 is essential to mitigate these risks and maintain compliance with relevant data protection regulations.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade XenForo to version 2.3.5 or later, as this release includes a critical security fix addressing the OAuth2 unauthorized scope request issue.

The update is available for all licensed customers via one-click upgrade in the admin control panel or automatic scheduling for XenForo Cloud customers.

Additionally, ensure your environment meets the requirements for XenForo 2.3.5, including PHP 7.2 or newer (PHP 8.3 recommended) and MySQL 5.7 or newer (including MariaDB/Percona).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart