CVE-2026-29199

High

Published: 04 May 2026

Published

04 May 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0003 8.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29199 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Hackerone (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediates the specific Host Header Injection flaw in phpBB by requiring timely patching to version 3.3.16 or later, preventing extraction of hostname from untrusted Host header for password reset links.

SI-10 Information Input Validation good match

prevent

Requires validation of the HTTP Host header input to prevent injection and poisoning of password reset link URLs in phpBB.

CM-6 Configuration Settings partial match

prevent

Ensures secure configuration settings such as enabling force_server_vars in phpBB or web server validation of Host headers to block manipulation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The CVE describes a remotely exploitable vulnerability in a public-facing web application (phpBB) that is abused via crafted Host headers to poison password reset links and achieve account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset…

link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

Deeper analysisAI

CVE-2026-29199 is a Host Header Injection vulnerability in phpBB versions before 3.3.16 that enables password reset link poisoning. When the force_server_vars configuration option is disabled, the application's code extracts the server's hostname from the HTTP Host header to construct password reset link URLs sent via email. This allows manipulation of the generated links if the header is not properly validated or sanitized by the web server.

Attackers can exploit this vulnerability over the network with low complexity and no required privileges, provided they can control the Host header in requests, such as through misconfigured virtual host setups or absent web server header validation. By doing so, they can poison password reset emails to point to a domain under their control. If a targeted user interacts with the malicious link (e.g., by clicking it to reset their password), the attacker can achieve high confidentiality and integrity impacts, potentially resulting in account takeover. The issue is scored at CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-640.

phpBB versions 3.3.16 and later address this vulnerability. Additional details are available in the originating HackerOne report at https://hackerone.com/reports/3543246.