CVE-2025-71278

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request	Third Party Advisory
https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*

History

01 Apr 2026, 18:51

Type	Values Removed	Values Added
References	~~() https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request -~~	() https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request - Third Party Advisory
References	~~() https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/ -~~	() https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/ - Release Notes
Summary		(es) XenForo anterior a 2.3.5 permite a las aplicaciones cliente OAuth2 solicitar ámbitos no autorizados. Esto afecta a cualquier cliente que utilice clientes OAuth2 en cualquier versión de XenForo 2.3 anterior a 2.3.5, lo que podría permitir a las aplicaciones cliente obtener acceso más allá de su nivel de autorización previsto.
First Time		Xenforo Xenforo xenforo
CPE		cpe:2.3:a:xenforo:xenforo::::::::

01 Apr 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-01 01:16

Updated : 2026-04-01 18:51

NVD link : CVE-2025-71278

Mitre link : CVE-2025-71278

CVE.ORG link : CVE-2025-71278

JSON object : View

Products Affected

xenforo

xenforo

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-71278", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-01T01:16:40.000", "references": [{"url": "https://www.vulncheck.com/advisories/xenforo-oauth2-unauthorized-scope-request", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-5-includes-security-fix-add-ons-released.228812/", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level."}, {"lang": "es", "value": "XenForo anterior a 2.3.5 permite a las aplicaciones cliente OAuth2 solicitar \u00e1mbitos no autorizados. Esto afecta a cualquier cliente que utilice clientes OAuth2 en cualquier versi\u00f3n de XenForo 2.3 anterior a 2.3.5, lo que podr\u00eda permitir a las aplicaciones cliente obtener acceso m\u00e1s all\u00e1 de su nivel de autorizaci\u00f3n previsto."}], "lastModified": "2026-04-01T18:51:48.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38603AFC-2A94-400D-B368-E9856873EF6D", "versionEndExcluding": "2.3.5", "versionStartIncluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}