Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires authenticated admin (PR:H) over the network via a single AJAX call (AC:L); impact is data destruction and site outage (I:H/A:H) with no confidentiality loss (C:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass, which allows deletion of all six built-in groups and destroys the forum's permission model, potentially rendering the site unusable.
AnalysisAI
Authorization-model destruction in FlaskBB forum software (versions up to and including 2.2.0) lets an authenticated administrator wipe all six built-in permission groups through the management bulk-delete AJAX endpoint. Because the endpoint compares JSON integer group IDs against string literals, the guard meant to protect built-in groups never matches and silently allows their removal, collapsing the forum's entire permission model and potentially bricking the site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with administrator privileges (CVSS PR:H) and access to the management/admin bulk-delete AJAX endpoint that accepts JSON group IDs; the vulnerability triggers only through this specific bulk-delete path where integer IDs are compared against string literals. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 score of 8.6 (High) reflects network attack vector, low complexity, no user interaction, and full VC/VI/VA impact, but is gated by PR:H - exploitation requires existing administrator privileges, which sharply narrows the realistic attacker population to insiders, compromised admin accounts, or session/credential theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained FlaskBB administrator access - via a compromised admin credential, phished session, or a malicious insider - opens the group management view and issues a bulk-delete request whose JSON payload contains the integer IDs of the built-in groups. The type-mismatch guard fails to block them, all six built-in groups are removed, and the forum's permission model collapses, denying access and moderation capability to all users. … |
| Remediation | Upgrade FlaskBB to a build containing the upstream fix - the patch is available in commit a5da9a5 (https://github.com/flaskbb/flaskbb/commit/a5da9a529adddc65fe31e275192b642a4e32de64); this is an upstream commit fix, so a released patched version is not independently confirmed from the provided data and operators tracking 2.2.0 should pull the patched commit or the next tagged release above 2.2.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all FlaskBB instances and identify those running versions up to 2.2.0; restrict administrative access to the bulk-delete and forum management endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-697 – Incorrect Comparison
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42877