Logic Flaw in FlaskBB Allows Administrators to Remove Built-in Authorization Groups
CVE-2026-22660

8.6HIGH

Key Information:

Vendor

Flaskbb

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-22660?

A logic flaw in FlaskBB versions up to 2.2.0 allows authenticated administrators to exploit a vulnerability in the bulk delete protection check via a type mismatch. This flaw occurs in the bulk AJAX endpoint, where the comparison between integer group IDs and string literals fails, resulting in the protection check passing erroneously. Consequently, administrators can delete all built-in authorization groups, thereby compromising the forum's permission model and potentially rendering the site inoperable. A fix has been implemented in later commits to address this critical issue.

Affected Version(s)

flaskbb 0 <= 2.2.0

flaskbb 0 <= 2.2.0

flaskbb https://github.com/flaskbb/flaskbb/commit/a5da9a52

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hamed Kohi (@0xHamy)
VulnCheck
.