CVE-2023-22489
CVE-2023-22489 is a low-severity vulnerability in Flarum with a CVSS 3.x base score of 3.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-862.
Key facts
- Severity: Low (CVSS 3.x base score 3.5)
- EPSS exploit prediction: 1% (42nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-862
- Affected product: Flarum
- Published:
- Last modified:
Description
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This happens because when the first post of a discussion is permanently deleted, the `first_post_id` attribute of the discussion becomes `null` which causes access control to be skipped for all new replies. Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that `discussions.comment_count` is still above zero after the post deletion. This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to. In combination with the email notification settings, this could also be used as a way to send unsolicited emails. Versions between `v1.3.0` and `v1.6.3` are impacted. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible. There are no known workarounds.
Frequently asked questions
- What is CVE-2023-22489?
- Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This happens because when the first post of a discussion is permanently deleted, the `first_post_id` attribute of the discussion becomes `null` which causes access control to be skipped for all new replies. Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that `discussions.comment_count` is still above zero after the post deletion. This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to. In combination with the email notification settings, this could also be used as a way to send unsolicited emails. Versions between `v1.3.0` and `v1.6.3` are impacted. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible. There are no known workarounds.
- How severe is CVE-2023-22489?
- CVE-2023-22489 has a CVSS 3.x base score of 3.5, rated low severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2023-22489 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-22489?
- CVE-2023-22489 affects Flarum. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-22489?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-22489 published?
- CVE-2023-22489 was published on 2023-01-13 and last updated on 2026-06-17.
References
- https://github.com/flarum/framework/commit/12f14112a0ecd1484d97330b82beb2a145919015
- https://github.com/flarum/framework/releases/tag/v1.6.3
- https://github.com/flarum/framework/security/advisories/GHSA-hph3-hv3c-7725
Affected products (1)
- cpe:2.3:a:flarum:flarum:*:*:*:*:*:*:*:*
More vulnerabilities in Flarum
- CVE-2021-32671 — Critical (CVSS 10.0): Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be…
- CVE-2022-41938 — Critical (CVSS 9.0): Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into…
- CVE-2019-13183 — High (CVSS 8.8): Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.
- CVE-2023-22487 — High (CVSS 7.7): Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions…
- CVE-2019-11514 — High (CVSS 7.5): User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens.
- CVE-2023-40033 — High (CVSS 7.1): Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a…
Other CWE-862 (Missing Authorization) vulnerabilities
- CVE-2026-0092 — Critical (CVSS 10.0): In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could…
- CVE-2026-33712 — Critical (CVSS 10.0): Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST…
- CVE-2026-2031 — Critical (CVSS 10.0): An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration…
- CVE-2026-34976 — Critical (CVSS 10.0): Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing…
- CVE-2025-30416 — Critical (CVSS 10.0): Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis…
- CVE-2025-45854 — Critical (CVSS 10.0): /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
Browse all CWE-862 (Missing Authorization) vulnerabilities →