Logic Flaw in FlaskBB Allows Administrators to Remove Built-in Authorization Groups
CVE-2026-22660
8.6HIGH
What is CVE-2026-22660?
A logic flaw in FlaskBB versions up to 2.2.0 allows authenticated administrators to exploit a vulnerability in the bulk delete protection check via a type mismatch. This flaw occurs in the bulk AJAX endpoint, where the comparison between integer group IDs and string literals fails, resulting in the protection check passing erroneously. Consequently, administrators can delete all built-in authorization groups, thereby compromising the forum's permission model and potentially rendering the site inoperable. A fix has been implemented in later commits to address this critical issue.
Affected Version(s)
flaskbb 0 <= 2.2.0
flaskbb 0 <= 2.2.0
flaskbb https://github.com/flaskbb/flaskbb/commit/a5da9a52
