CVE-2026-22659
Received Received - Intake

Authorization Bypass in FlaskBB via Topic ID Manipulation

Vulnerability report for CVE-2026-22659, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flaskbb flaskbb to 2.2.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting moderators from performing batch actions on topics across multiple forums simultaneously.

Since the vulnerability is fixed in commit acc88cf, applying this patch or upgrading to a version including this fix is the recommended solution.

If patching or upgrading is not immediately possible, consider the following temporary mitigations:

  • Limit moderator permissions to only allow actions on topics within forums they explicitly control.
  • Monitor and audit moderator batch actions closely to detect suspicious activity.
  • Educate moderators about the risk of submitting batch requests with topic IDs from multiple forums.

Ultimately, applying the fix from commit acc88cf, which adds a check preventing batch modifications across multiple forums, is the definitive mitigation.

Executive Summary

CVE-2026-22659 is an authorization bypass vulnerability in FlaskBB versions up to 2.2.0 that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control.

The vulnerability occurs because when a moderator submits a batch request to perform actions like lock, unlock, delete, or hide on multiple topics, the system only checks permissions on the first topic in the list.

Attackers can exploit this by including a low-ID topic from a forum they are allowed to moderate as an anchor in the request, which causes the permission check to pass, and then perform unauthorized actions on topics in other forums where they lack permissions.

This is an example of an Insecure Direct Object Reference (IDOR) flaw, allowing moderators to manipulate content across forums improperly.

Impact Analysis

This vulnerability can have a significant impact by allowing moderators to perform unauthorized actions such as locking, unlocking, deleting, or hiding topics in forums they do not control.

Such unauthorized actions can lead to content destruction or manipulation across the platform, compromising the integrity and availability of forum data.

Because the attack requires only low privileges (authenticated moderator) and has low complexity, it poses a high risk to the system's security.

Detection Guidance

This vulnerability involves an authorization bypass via crafted topic ID lists submitted by authenticated moderators. Detection involves monitoring for unusual batch requests where topic ID lists include low-ID topics from permitted forums combined with topics from unmoderated forums.

Specifically, detection can focus on identifying batch actions (lock, unlock, delete, hide) performed by moderators that include topic IDs spanning multiple forums, especially when a low-ID topic from a permitted forum is used as an anchor.

Since the vulnerability exploits improper authorization checks in batch requests, network or application logs should be inspected for such requests.

Suggested commands depend on your logging and monitoring setup, but examples include:

  • Using grep or similar tools on web server or application logs to find batch topic action requests containing multiple topic IDs.
  • Example (Linux shell): grep -iE 'lock|unlock|delete|hide' /var/log/flaskbb/access.log | grep 'topic_ids='
  • Querying the database for recent batch actions by moderators that include topic IDs from multiple forums.
  • Example SQL to detect batch actions spanning multiple forums (requires knowledge of schema):
  • SELECT moderator_id, COUNT(DISTINCT forum_id) AS forum_count FROM topic_actions WHERE action_time > NOW() - INTERVAL '1 DAY' GROUP BY moderator_id HAVING forum_count > 1;

Note: Specific commands depend on your environment and logging configuration. There is no direct signature or automated detection command provided in the resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart