CVE-2026-29199
Host Header Injection in phpBB Before 3.3.16
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpbb | phpbb | to 3.3.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects phpBB versions before 3.3.16 and is a Host Header Injection issue. When the configuration option force_server_vars is disabled, the server's hostname is taken from the HTTP Host header to create the URL for password reset links.
An attacker who can manipulate the Host headerβdue to misconfigured hosts or lack of proper header validation by the webserverβcan cause password reset emails to include links pointing to a domain controlled by the attacker.
This can lead to password reset link poisoning, potentially allowing the attacker to take over user accounts.
How can this vulnerability impact me? :
The vulnerability can lead to account takeover by attackers.
Specifically, attackers can manipulate password reset emails to contain malicious links, tricking users into resetting their passwords on attacker-controlled domains.
This compromises user accounts and can lead to unauthorized access to sensitive information or services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to manipulate password reset links by exploiting Host Header Injection, potentially leading to account takeover.
Such unauthorized access risks compromising personal and sensitive user data, which can impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user information and preventing unauthorized access.
Organizations using vulnerable versions of phpBB may face increased risk of data breaches and non-compliance with these standards if the vulnerability is exploited.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade phpBB to version 3.3.16 or later where the issue is fixed.
Additionally, ensure that the force_server_vars setting is enabled to prevent the server hostname from being extracted from the HTTP Host header.
Also, verify that your webserver is properly configured to validate and restrict Host headers to trusted values to prevent manipulation.