Authorization Bypass Vulnerability in FlaskBB Forum Software
CVE-2026-22659

7.2HIGH

Key Information:

Vendor

Flaskbb

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-22659?

FlaskBB versions prior to 2.2.0 are vulnerable to an authorization bypass issue that permits registered moderators to perform unauthorized actions on forum topics not under their control. By crafting requests with manipulated topic ID lists, attackers can exploit the vulnerability by including a low-ID topic from a permitted forum, thus circumventing permission checks for subsequent topics. This allows unauthorized modifications such as locking, unlocking, deleting, or hiding topics across unmoderated forums, posing a significant risk to forum integrity.

Affected Version(s)

flaskbb 0 <= 2.2.0

flaskbb 0 <= 2.2.0

flaskbb https://github.com/flaskbb/flaskbb/commit/a5da9a52

References

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hamed Kohi (@0xHamy)
VulnCheck
.