CVE-2026-22660
Received Received - Intake

FlaskBB Admin Group Deletion Logic Flaw

Vulnerability report for CVE-2026-22660, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass, which allows deletion of all six built-in groups and destroys the forum's permission model, potentially rendering the site unusable.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flaskbb flaskbb to 2.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-22660 is a logic flaw vulnerability in FlaskBB versions 2.2.0 and earlier that allows authenticated administrators to delete all built-in authorization groups. The issue arises because the bulk AJAX endpoint in the management views compares JSON integer group IDs against string literals, causing the protection check to always pass.

This flaw enables an attacker with administrative privileges to exploit the type mismatch and delete all six built-in groups, which include critical groups like Administrator, Super Moderator, Moderator, Member, Banned, and Guest.

Deleting these groups destroys the forum's permission model and can potentially render the site unusable.

Impact Analysis

If exploited, this vulnerability allows an authenticated administrator to delete all six built-in authorization groups in FlaskBB, which are essential for managing user permissions.

This deletion breaks the forum's permission system, potentially rendering the site unusable by removing the ability to properly assign roles and permissions.

The impact includes loss of control over user access, disruption of forum operations, and a high severity risk to confidentiality, integrity, and availability of the system.

Detection Guidance

This vulnerability involves a logic flaw in FlaskBB's bulk AJAX endpoint where authenticated administrators can delete built-in authorization groups due to a type mismatch in the protection check.

To detect exploitation attempts on your system, you can monitor HTTP POST requests to the bulk delete AJAX endpoint in the management views that include JSON payloads with group IDs.

Specifically, look for POST requests where integer group IDs are sent that correspond to the built-in groups (IDs 1 through 6) being deleted.

Commands to help detect such activity might include:

  • Using web server logs (e.g., Apache or Nginx) to grep for POST requests to the bulk delete endpoint URL, for example: `grep 'POST /management/groups/bulk-delete' /var/log/nginx/access.log`
  • Using tools like tcpdump or Wireshark to capture and inspect HTTP traffic for suspicious POST requests containing JSON payloads with group IDs.
  • If you have access to the FlaskBB database, query the authorization groups table to check if the six built-in groups (typically Administrator, Super Moderator, Moderator, Member, Banned, Guest) are missing or deleted.
Mitigation Strategies

The immediate mitigation step is to update FlaskBB to a version that includes the fix from commit a5da9a5, which prevents deletion of the six built-in authorization groups by properly handling type checks and input validation.

If updating immediately is not possible, restrict administrative access to trusted users only and monitor for suspicious bulk delete requests.

Additionally, review and restore any deleted built-in authorization groups to maintain the forum's permission model.

The fix includes:

  • Adding a constant to identify protected groups and prevent their deletion.
  • Converting group IDs to integers and validating inputs to avoid type mismatch.
  • Providing error messages when attempts to delete protected groups occur.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart