CVE-2026-29199
Published: 04 May 2026
Description
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset…
more
link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.
Security SummaryAI
CVE-2026-29199 is a Host Header Injection vulnerability in phpBB versions before 3.3.16 that enables password reset link poisoning. When the force_server_vars configuration option is disabled, the application's code extracts the server's hostname from the HTTP Host header to construct password reset link URLs sent via email. This allows manipulation of the generated links if the header is not properly validated or sanitized by the web server.
Attackers can exploit this vulnerability over the network with low complexity and no required privileges, provided they can control the Host header in requests, such as through misconfigured virtual host setups or absent web server header validation. By doing so, they can poison password reset emails to point to a domain under their control. If a targeted user interacts with the malicious link (e.g., by clicking it to reset their password), the attacker can achieve high confidentiality and integrity impacts, potentially resulting in account takeover. The issue is scored at CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-640.
phpBB versions 3.3.16 and later address this vulnerability. Additional details are available in the originating HackerOne report at https://hackerone.com/reports/3543246.
Details
- CWE(s)