Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable batch endpoint (AV:N/AC:L) but requires a moderator account (PR:L); no data disclosure (C:N) while topics can be altered and deleted (I:H/A:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums.
AnalysisAI
Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated FlaskBB account with moderator privileges on at least one forum (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The available signals are consistent and point to a real but privilege-gated integrity/availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user holding moderator rights on at least one low-privilege forum crafts a batch moderation request whose topic ID list begins with a low-ID topic from that permitted forum and then appends topic IDs from forums they do not moderate. The single permission check passes on the anchor topic, so the server proceeds to delete or hide the appended topics in the unmoderated forums. … |
| Remediation | Upstream fix available (commit acc88cf); a released, tagged patched version is not independently confirmed from the input, so upgrade to a FlaskBB build that includes commit acc88cfedd011124395e0101cb27432a47f712be (https://github.com/flaskbb/flaskbb/commit/acc88cfedd011124395e0101cb27432a47f712be) or later, following advisory GHSA-9rjj-9p2h-6c55 (https://github.com/flaskbb/flaskbb/security/advisories/GHSA-9rjj-9p2h-6c55). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all FlaskBB instances running version 2.2.0 or earlier and review audit logs for unauthorized topic modifications by moderators. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42878