CVE-2023-40033
CVE-2023-40033 is a high-severity vulnerability in Flarum with a CVSS 3.x base score of 7.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-918.
Key facts
- Severity: High (CVSS 3.x base score 7.1)
- EPSS exploit prediction: 0% (34th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-918
- Affected product: Flarum
- Published:
- Last modified:
Description
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack. This has been patched in Flarum version 1.8.0. Users are advised to upgrade. Users unable to upgrade may disable PHP's `allow_url_fopen` which will prevent the fetching of external files via URLs as a temporary workaround for the SSRF aspect of the vulnerability.
Frequently asked questions
- What is CVE-2023-40033?
- Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack. This has been patched in Flarum version 1.8.0. Users are advised to upgrade. Users unable to upgrade may disable PHP's `allow_url_fopen` which will prevent the fetching of external files via URLs as a temporary workaround for the SSRF aspect of the vulnerability.
- How severe is CVE-2023-40033?
- CVE-2023-40033 has a CVSS 3.x base score of 7.1, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
- Is CVE-2023-40033 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (34th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-40033?
- CVE-2023-40033 affects Flarum. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-40033?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-40033 published?
- CVE-2023-40033 was published on 2023-08-16 and last updated on 2026-06-17.
References
- https://github.com/flarum/framework/commit/d1059c1cc79fe61f9538f3da55e8f42abbede570
- https://github.com/flarum/framework/security/advisories/GHSA-67c6-q4j4-hccg
Affected products (1)
- cpe:2.3:a:flarum:flarum:*:*:*:*:*:*:*:*
More vulnerabilities in Flarum
- CVE-2021-32671 — Critical (CVSS 10.0): Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be…
- CVE-2022-41938 — Critical (CVSS 9.0): Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into…
- CVE-2019-13183 — High (CVSS 8.8): Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.
- CVE-2023-22487 — High (CVSS 7.7): Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions…
- CVE-2019-11514 — High (CVSS 7.5): User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens.
- CVE-2025-27794 — Medium (CVSS 6.8): Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an…
Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities
- CVE-2026-47938 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF)…
- CVE-2026-35431 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to…
- CVE-2026-32186 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-33107 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-32871 — Critical (CVSS 10.0): FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP…
- CVE-2026-32169 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a…
Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →