CVE-2026-29199 Overview
CVE-2026-29199 is a Host Header Injection vulnerability affecting phpBB versions before 3.3.16. The flaw resides in the password reset link generation logic. When the force_server_vars configuration option is disabled, phpBB derives the server hostname from the inbound HTTP Host header. An attacker who controls or manipulates the Host header can cause password reset emails to embed links pointing to an attacker-controlled domain. Victims who click the poisoned link transmit their reset token to the attacker, enabling account takeover. The issue is tracked under CWE-640: Weak Password Recovery Mechanism for Forgotten Password.
Critical Impact
Successful exploitation allows an attacker to hijack password reset tokens and take over arbitrary phpBB accounts, including administrators.
Affected Products
- phpBB versions prior to 3.3.16
- Deployments where force_server_vars is disabled
- Forums fronted by webservers that do not validate the Host header
Discovery Timeline
- 2026-05-04 - CVE-2026-29199 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-29199
Vulnerability Analysis
phpBB constructs absolute URLs for password reset emails by reading the hostname from server-side variables. When the administrative setting force_server_vars is disabled, the application falls back to the HTTP_HOST value supplied by the client. This value originates from the inbound Host header and is not validated against an allowlist of trusted hostnames. An attacker submits a password reset request for a target account while injecting a malicious Host header value. The mailer then renders the reset URL using the attacker-supplied hostname, while the email body still travels through the legitimate phpBB SMTP pipeline. The victim receives a credible-looking message and follows the poisoned link, sending the single-use token to the attacker's server. The attacker replays the token against the legitimate phpBB instance to set a new password and seize the account.
Root Cause
The root cause is missing validation of the Host request header in the URL generation routine used by the password reset feature. phpBB trusts the client-controlled header instead of binding URL generation to a configured canonical hostname. Operators who leave force_server_vars disabled inherit the vulnerable code path.
Attack Vector
The attack is remote and unauthenticated, but requires user interaction because the victim must click the poisoned link in the reset email. Exploitation typically proceeds as follows. The attacker sends a crafted POST request to the phpBB password reset endpoint with a Host header pointing to attacker.example. phpBB generates a reset URL such as https://attacker.example/ucp.php?mode=confirm_reset_password&... and emails it to the victim. The victim clicks the link, and the attacker's webserver captures the token and user identifier. The attacker forwards the captured token to the legitimate phpBB host to complete the password change. See the HackerOne Report #3543246 for additional technical context.
Detection Methods for CVE-2026-29199
Indicators of Compromise
- Outbound password reset emails containing URLs whose hostname does not match the canonical forum domain
- HTTP requests to ucp.php?mode=sendpassword with Host header values that differ from the configured server name
- Webserver access logs showing unusual or spoofed Host headers preceding mail delivery events
- User reports of password reset emails referencing unfamiliar domains
Detection Strategies
- Inspect web access logs for requests targeting password reset endpoints with mismatched Host headers compared to the Server-Name directive
- Correlate phpBB mailer logs with HTTP request logs to identify reset emails generated from suspicious headers
- Deploy WAF rules that flag Host header values not present in an allowlist of expected hostnames
Monitoring Recommendations
- Alert on password reset request volume spikes targeting administrative or moderator accounts
- Monitor outbound mail content for reset URLs whose domain does not match the forum's canonical hostname
- Track authentication state changes occurring shortly after a reset link is issued from an anomalous source
How to Mitigate CVE-2026-29199
Immediate Actions Required
- Upgrade phpBB to version 3.3.16 or later
- Set force_server_vars to enabled in the Administration Control Panel and configure an explicit server_name and server_protocol
- Configure the upstream webserver (Apache, nginx, or load balancer) to reject requests with unexpected Host headers
- Audit recent password reset activity for evidence of exploitation
Patch Information
The phpBB project addressed the issue in version 3.3.16 by hardening URL generation so password reset links rely on configured server variables rather than the client-supplied Host header. Administrators should apply the official upgrade package from the phpBB downloads portal. Refer to the HackerOne Report #3543246 for disclosure details.
Workarounds
- Enable force_server_vars in the phpBB ACP and define the canonical hostname under General → Server Settings
- Configure the webserver to enforce a strict Host header allowlist and return HTTP 400 for non-matching values
- Restrict access to the password reset endpoint behind rate limiting and CAPTCHA to slow targeted exploitation
# Example nginx configuration to enforce a Host header allowlist
server {
listen 443 ssl;
server_name forum.example.com;
if ($host !~* ^(forum\.example\.com)$) {
return 400;
}
# ... remaining phpBB configuration
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
