CVE-2026-22660

Source
https://cve.org/CVERecord?id=CVE-2026-22660
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22660.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-22660
Aliases
  • GHSA-r9cf-jxr6-5h3r
Published
2026-07-10T13:26:31.423Z
Modified
2026-07-16T03:30:50.893008594Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint
Details

FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass, which allows deletion of all six built-in groups and destroys the forum's permission model, potentially rendering the site unusable.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22660.json",
    "cwe_ids": [
        "CWE-697"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/flaskbb/flaskbb

Affected ranges

Type
GIT
Repo
https://github.com/flaskbb/flaskbb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.0"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.0
v2.*
v2.0.0
v2.1.0
v2.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22660.json"