FlaskBB CVE-2026-46556
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 8 pypi packages depend on flaskbb (8 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.2.0.
DescriptionGitHub Advisory
###Summary A Server-Side Request Forgery (SSRF) vulnerability in get_image_info() allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services (e.g., AWS 169.254.169.254). This is a blind SSRF with confirmed internal port scanning and internal API triggering capabilities. CVSS 6.5 Medium.
###Details In flaskbb/utils/helpers.py (line 571), the url parameter is passed directly to requests.get(url, stream=True) without any validation of scheme, host, or IP address.
python
# flaskbb/utils/helpers.py:571
def get_image_info(url: str):
r = requests.get(url, timeout=(3.05, 27), stream=True)Attack chain:
POST /user/settings/user-details (avatar URL)
→ ValidateAvatarURL.validate()
# validators.py:103
→ check_image(avatar)
# helpers.py:628
→ get_image_info(url)
# helpers.py:571
→ requests.get(url)
# No domain/IP restriction
Entry points:
/user/settings/user-details (any authenticated user)
/admin/users/<id>/edit (admin only)
###PoC submit.zip
Log in to FlaskBB as any user Navigate to Settings → User Details Enter http://169.254.169.254/latest/meta-data/ as the avatar URL Submit the form The server sends a GET request to the internal metadata endpoint
Three exploitation channels confirmed:
Server-side request: Captured on mock metadata server Internal port scan: check_image() returns distinct errors (CONN_REFUSED, NO_CONTENT_LENGTH, TYPE_NOT_ALLOWED, SUCCESS) that map internal network topology Internal API triggering: Mock APIs on 127.0.0.1:9200 triggered via SSRF (deploy, shutdown, key dump endpoints)
###Impact Any authenticated user is impacted. Attackers can force the server to request internal services, cloud metadata endpoints, or private network resources. On cloud deployments (AWS/GCP/Azure), IAM credentials can be leaked. In production, any GET-triggered internal service is reachable: CI/CD webhooks, Elasticsearch, etcd, Consul, etc.
AnalysisAI
Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to issue arbitrary HTTP GET requests to internal network endpoints, including cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents). All versions up to and including 2.2.0 of the pip-distributed FlaskBB package are affected, with no vendor-released patch available at time of analysis. A proof-of-concept is publicly available via the GitHub Security Advisory, and three distinct exploitation channels have been demonstrated: direct credential exfiltration from cloud metadata services, internal port scanning via differential error responses, and triggering of internal APIs (Elasticsearch, etcd, Consul, CI/CD webhooks).
Technical ContextAI
FlaskBB is a Python-based forum application built on Flask. The vulnerability resides in flaskbb/utils/helpers.py at line 571, where the get_image_info() function accepts a URL string and passes it directly to Python's requests.get(url, stream=True) with no validation of URL scheme, hostname, or IP address range. The call chain is: POST /user/settings/user-details → ValidateAvatarURL.validate() in validators.py:103 → check_image() in helpers.py:628 → get_image_info() in helpers.py:571 → unrestricted requests.get(). The root cause class is CWE-918 (Server-Side Request Forgery), where user-controlled input is used to construct and execute a server-side HTTP request without allowlist or denylist controls. The CPE identifier is pkg:pip/flaskbb, indicating the vulnerability is in the PyPI-distributed package. A secondary exploitation channel arises because check_image() returns distinct error codes (CONN_REFUSED, NO_CONTENT_LENGTH, TYPE_NOT_ALLOWED, SUCCESS) that leak internal network topology, making this an oracle-assisted blind SSRF rather than a fully blind one.
RemediationAI
No vendor-released patch is available for CVE-2026-46556 at time of analysis - the GitHub Security Advisory confirms fixed version as None. Until a patch is released, operators should implement the following specific compensating controls. First, deploy a URL allowlist or denylist in the avatar URL validation path: modify ValidateAvatarURL.validate() in validators.py to reject requests targeting RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local addresses (169.254.0.0/16); this directly blocks cloud metadata and internal network targeting. Second, on AWS deployments, enforce IMDSv2 (hop limit 1, require session tokens) via EC2 instance metadata service configuration - this prevents token-less metadata retrieval even if SSRF reaches 169.254.169.254. Third, apply egress network controls at the host or container level to restrict outbound HTTP from the FlaskBB process to only required external domains. Fourth, disable avatar URL ingestion entirely (set the feature to disallow external URL avatars) if the functionality is non-essential - this eliminates the attack surface entirely with no SSRF residual. Monitor for advisory updates at https://github.com/flaskbb/flaskbb/security/advisories/GHSA-xq32-9g7q-7297.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xq32-9g7q-7297