Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
XenForo 2.3.4 and Earlier: Unauthorized Access to User Data
CVE-2025-71278
Summary
If you're using XenForo 2.3.4 or earlier, an unauthorized application can request more access than it's supposed to have, potentially exposing your users' data. This is a serious issue that affects all customers using OAuth2 clients on these versions of XenForo. To fix this, update to XenForo 2.3.5 or later as soon as possible.
Original title
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allow...
Original description
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-863
Incorrect Authorization
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026