XenForo Passkey Authentication Bypass Vulnerability Enables Account Compromise (CVE-2025-71279)

CVE-2025-71279 affects XenForo forum software versions prior to 2.3.7. The vulnerability involves a security issue in the implementation of Passkeys (FIDO2/WebAuthn authentication), which are increasingly adopted as a phishing-resistant alternative to passwords. The flaw could allow attackers to bypass Passkey authentication controls and gain unauthorized access to user accounts, including administrator accounts. XenForo is one of the most widely deployed forum platforms, used by thousands of online communities worldwide. A successful exploit could allow attackers to take over high-privilege accounts, access private messages, and potentially compromise the entire forum installation. The vulnerability was published on April 1, 2026, with a CVSS score of 9.8. XenForo administrators should immediately upgrade to version 2.3.7 or later. Until patching is complete, consider temporarily disabling Passkey authentication and requiring users to authenticate via alternative methods. Monitor admin logs for unauthorized access attempts.