CVE-2025-71278 HIGH

CVE-2025-71278: XenForo OAuth2 Unauthorized Scope Request

Vendor Xenforo
Product XenForo
Weakness CWE-863 · Incorrect authorization
Published April 1, 2026
Last update April 1, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.

Key dates

02Disclosure timeline

April 1, 2026 CVE published
April 1, 2026 Record updated