Skip to main content

FlaskBB CVE-2026-46556

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-21 https://github.com/flaskbb/flaskbb GHSA-xq32-9g7q-7297
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 21:36 vuln.today
Analysis Generated
May 21, 2026 - 21:36 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 pypi packages depend on flaskbb (8 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.2.0.

DescriptionGitHub Advisory

###Summary A Server-Side Request Forgery (SSRF) vulnerability in get_image_info() allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services (e.g., AWS 169.254.169.254). This is a blind SSRF with confirmed internal port scanning and internal API triggering capabilities. CVSS 6.5 Medium.

###Details In flaskbb/utils/helpers.py (line 571), the url parameter is passed directly to requests.get(url, stream=True) without any validation of scheme, host, or IP address.

python
# flaskbb/utils/helpers.py:571
def get_image_info(url: str):
    r = requests.get(url, timeout=(3.05, 27), stream=True)

Attack chain:

POST /user/settings/user-details (avatar URL)
→ ValidateAvatarURL.validate()
# validators.py:103
→ check_image(avatar)
# helpers.py:628
→ get_image_info(url)
# helpers.py:571
→ requests.get(url)
# No domain/IP restriction
Entry points:

/user/settings/user-details (any authenticated user)
/admin/users/<id>/edit (admin only)

###PoC submit.zip

Log in to FlaskBB as any user Navigate to Settings → User Details Enter http://169.254.169.254/latest/meta-data/ as the avatar URL Submit the form The server sends a GET request to the internal metadata endpoint

Three exploitation channels confirmed:

Server-side request: Captured on mock metadata server Internal port scan: check_image() returns distinct errors (CONN_REFUSED, NO_CONTENT_LENGTH, TYPE_NOT_ALLOWED, SUCCESS) that map internal network topology Internal API triggering: Mock APIs on 127.0.0.1:9200 triggered via SSRF (deploy, shutdown, key dump endpoints)

###Impact Any authenticated user is impacted. Attackers can force the server to request internal services, cloud metadata endpoints, or private network resources. On cloud deployments (AWS/GCP/Azure), IAM credentials can be leaked. In production, any GET-triggered internal service is reachable: CI/CD webhooks, Elasticsearch, etcd, Consul, etc.

AnalysisAI

Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to issue arbitrary HTTP GET requests to internal network endpoints, including cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents). All versions up to and including 2.2.0 of the pip-distributed FlaskBB package are affected, with no vendor-released patch available at time of analysis. A proof-of-concept is publicly available via the GitHub Security Advisory, and three distinct exploitation channels have been demonstrated: direct credential exfiltration from cloud metadata services, internal port scanning via differential error responses, and triggering of internal APIs (Elasticsearch, etcd, Consul, CI/CD webhooks).

Technical ContextAI

FlaskBB is a Python-based forum application built on Flask. The vulnerability resides in flaskbb/utils/helpers.py at line 571, where the get_image_info() function accepts a URL string and passes it directly to Python's requests.get(url, stream=True) with no validation of URL scheme, hostname, or IP address range. The call chain is: POST /user/settings/user-details → ValidateAvatarURL.validate() in validators.py:103 → check_image() in helpers.py:628 → get_image_info() in helpers.py:571 → unrestricted requests.get(). The root cause class is CWE-918 (Server-Side Request Forgery), where user-controlled input is used to construct and execute a server-side HTTP request without allowlist or denylist controls. The CPE identifier is pkg:pip/flaskbb, indicating the vulnerability is in the PyPI-distributed package. A secondary exploitation channel arises because check_image() returns distinct error codes (CONN_REFUSED, NO_CONTENT_LENGTH, TYPE_NOT_ALLOWED, SUCCESS) that leak internal network topology, making this an oracle-assisted blind SSRF rather than a fully blind one.

RemediationAI

No vendor-released patch is available for CVE-2026-46556 at time of analysis - the GitHub Security Advisory confirms fixed version as None. Until a patch is released, operators should implement the following specific compensating controls. First, deploy a URL allowlist or denylist in the avatar URL validation path: modify ValidateAvatarURL.validate() in validators.py to reject requests targeting RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local addresses (169.254.0.0/16); this directly blocks cloud metadata and internal network targeting. Second, on AWS deployments, enforce IMDSv2 (hop limit 1, require session tokens) via EC2 instance metadata service configuration - this prevents token-less metadata retrieval even if SSRF reaches 169.254.169.254. Third, apply egress network controls at the host or container level to restrict outbound HTTP from the FlaskBB process to only required external domains. Fourth, disable avatar URL ingestion entirely (set the feature to disallow external URL avatars) if the functionality is non-essential - this eliminates the attack surface entirely with no SSRF residual. Monitor for advisory updates at https://github.com/flaskbb/flaskbb/security/advisories/GHSA-xq32-9g7q-7297.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-46556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy