CVE-2025-71278
OAuth2 Scope Authorization Bypass in XenForo Before
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xenforo | xenforo | From 2.3.0 (inc) to 2.3.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow OAuth2 client applications to escalate their privileges or access data and functions beyond what they are authorized to use.
As a result, attackers or malicious clients could gain unauthorized access to sensitive information or perform actions that should be restricted, potentially compromising the confidentiality, integrity, and availability of the affected system.
Can you explain this vulnerability to me?
CVE-2025-71278 is a vulnerability in XenForo versions prior to 2.3.5 that affects the OAuth2 implementation. Specifically, it allows OAuth2 client applications to request and obtain unauthorized scopes, meaning these clients can gain access beyond their intended authorization level.
This flaw is classified as an incorrect authorization issue (CWE-863) and can lead to privilege escalation or unauthorized access by OAuth2 clients.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade XenForo to version 2.3.5 or later, as this release includes a critical security fix addressing the OAuth2 unauthorized scope request issue.
The update is available for all licensed customers via one-click upgrade in the admin control panel or automatic scheduling for XenForo Cloud customers.
Additionally, ensure your environment meets the requirements for XenForo 2.3.5, including PHP 7.2 or newer (PHP 8.3 recommended) and MySQL 5.7 or newer (including MariaDB/Percona).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in XenForo before version 2.3.5 allows OAuth2 client applications to request unauthorized scopes, potentially granting access beyond intended authorization levels. This unauthorized access could lead to exposure or misuse of sensitive data.
Such unauthorized access risks may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict control over access to personal and sensitive information to protect confidentiality and integrity.
Therefore, organizations using affected XenForo versions with OAuth2 clients may face compliance challenges if this vulnerability is exploited, as it could result in unauthorized data access or breaches.
Applying the security fix in XenForo 2.3.5 is essential to mitigate these risks and maintain compliance with relevant data protection regulations.