Missing Authorization in Flarum - CVE-2023-22489
Published: January 10, 2023 / Updated: April 20, 2026
Vulnerability identifier: #VU126530
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-22489
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flarum
Flarum
Software vendor:
Flarum
Flarum
Description
The vulnerability allows a remote user to bypass reply restrictions and post replies in public discussions.
The vulnerability exists due to improper access control in the Flarum REST API when creating replies to a visible discussion whose first post was permanently deleted. A remote user can send a reply creation request to bypass reply restrictions and post replies in public discussions.
The issue occurs only if the discussion remains visible after the first post is deleted, such as when it still has at least one approved reply. User interaction is required because the user must submit a reply.
Remediation
Install security update from vendor's website.