CVE-2026-22659

Source
https://cve.org/CVERecord?id=CVE-2026-22659
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22659.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-22659
Aliases
  • GHSA-9rjj-9p2h-6c55
Published
2026-07-10T13:31:02.784Z
Modified
2026-07-16T03:31:12.202878362Z
Severity
  • 7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
FlaskBB Authorization Bypass via Topic ID Manipulation
Details

FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22659.json",
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/flaskbb/flaskbb

Affected ranges

Type
GIT
Repo
https://github.com/flaskbb/flaskbb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.0"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.0
v2.*
v2.0.0
v2.1.0
v2.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22659.json"