๐Ÿ” CVE Alert

CVE-2026-22659

HIGH 8.1

FlaskBB Authorization Bypass via Topic ID Manipulation

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums.

CWE CWE-863
Vendor flaskbb
Product flaskbb
Published Jul 10, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for flaskbb flaskbb

Be the first to know when new high vulnerabilities affecting flaskbb flaskbb are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Affected Versions

flaskbb / flaskbb
0 โ‰ค 2.2.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/flaskbb/flaskbb/security/advisories/GHSA-9rjj-9p2h-6c55 github.com: https://github.com/flaskbb/flaskbb/commit/acc88cfedd011124395e0101cb27432a47f712be vulncheck.com: https://www.vulncheck.com/advisories/flaskbb-authorization-bypass-via-topic-id-manipulation

Credits

Hamed Kohi (@0xHamy) VulnCheck