CVE-2026-29199
Analyzed Analyzed - Analysis Complete
Host Header Injection in phpBB Before 3.3.16

Publication date: 2026-05-04

Last updated on: 2026-05-29

Assigner: HackerOne

Description
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29199
EUVD
EUVD-2026-26892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpbb phpbb to 3.3.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects phpBB versions before 3.3.16 and is a Host Header Injection issue. When the configuration option force_server_vars is disabled, the server's hostname is taken from the HTTP Host header to create the URL for password reset links.

An attacker who can manipulate the Host headerβ€”due to misconfigured hosts or lack of proper header validation by the webserverβ€”can cause password reset emails to include links pointing to a domain controlled by the attacker.

This can lead to password reset link poisoning, potentially allowing the attacker to take over user accounts.

Impact Analysis

The vulnerability can lead to account takeover by attackers.

Specifically, attackers can manipulate password reset emails to contain malicious links, tricking users into resetting their passwords on attacker-controlled domains.

This compromises user accounts and can lead to unauthorized access to sensitive information or services.

Compliance Impact

This vulnerability allows an attacker to manipulate password reset links by exploiting Host Header Injection, potentially leading to account takeover.

Such unauthorized access risks compromising personal and sensitive user data, which can impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user information and preventing unauthorized access.

Organizations using vulnerable versions of phpBB may face increased risk of data breaches and non-compliance with these standards if the vulnerability is exploited.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade phpBB to version 3.3.16 or later where the issue is fixed.

Additionally, ensure that the force_server_vars setting is enabled to prevent the server hostname from being extracted from the HTTP Host header.

Also, verify that your webserver is properly configured to validate and restrict Host headers to trusted values to prevent manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart