CVE-2023-22489 - Flarum REST API Bug Lets Unauthorized Users Post Replies—How It Works and Why You Should Update

Flarum is a popular, modern discussion platform used by communities and websites across the globe. In late 2023, a critical vulnerability was discovered affecting its core—specifically within the way it handles discussions where the first post has been permanently deleted. This vulnerability is tracked as CVE-2023-22489. In this post, we'll break down what happened, how the exploit works, who’s affected, and how to secure your Flarum instance.

What is CVE-2023-22489?

CVE-2023-22489 is a security flaw in Flarum’s REST API that lets authenticated users create new replies in certain discussions—even if they don't have permission, or if the discussion has been locked.

The discussion itself remains visible (not deleted or hidden).

- There's still at least one approved reply left, ensuring the discussion doesn’t disappear due to having zero comments.

If these conditions hold, any actor who can view the discussion can post replies via the API, regardless of reply permissions or lock status. That includes users with unverified emails— but not guests/anonymous users, since their attempts cause a database error.

Technical Behind-the-Scenes

When you delete the first post of a discussion directly from the database, Flarum sets the discussion’s first_post_id attribute to null. Some of Flarum's access control checks for the reply endpoint are tied to this field. With it gone, these checks just don’t run.

First Post Deleted: discussions.first_post_id is set to null.

2. Remaining Replies: Only works if there’s at least one approved reply (comment_count > ), or Flarum would hide the discussion anyway.
3. Access Control Skipped: When a user tries to add a new reply via the REST API, Flarum skips enforcing the usual reply permissions.
4. New Reply Created: The user (even one with an unvalidated/unknown email) can post a reply — even in a locked thread.
5. Guests Blocked by Accident: If a guest (i.e., not logged in) tries this, Flarum’s database throws a 500 error since it refuses to set user_id to .

This bug holds for all Flarum versions from v1.3. up to, but not including, v1.6.3.

How To Exploit: Example Request

Here’s a basic example of how an authenticated user (with a login session or an API token) could exploit this vulnerability with a single HTTP POST:

POST /api/posts HTTP/1.1
Host: <flarum-site>
Authorization: Token <user-token>
Content-Type: application/json

{
  "data": {
    "attributes": {
      "content": "This shouldn't be allowed!",
      "discussionId": <id_of_vulnerable_discussion>
    },
    "type": "posts"
  }
}

You just need a valid discussion id that matches the conditions above.

Note: If you try this as a guest (no Authorization token), the API will try to use user_id = , crash, and return a 500 error, so it doesn't work.

If left unfixed, bad actors could

- Spam discussions even when reply/lock permissions are set to block them.

Bypass moderation and flood threads.

- Trigger unwanted email notifications (since Flarum can email about new replies), possibly as part of a harassment or nuisance campaign.

Confuse users by unlocking supposedly locked or closed topics.

The bug especially matters for open communities, or where users have unvalidated emails, who can spam locked threads or reply when they shouldn't.

Real World Scenarios

Imagine a popular thread discussing a hot topic. Moderators nuke the OP and lock the discussion. Due to this bug, any regular user still with the page open or sniffing API calls, would be able to push more replies, sending notifications and sowing chaos. Since email validation is bypassed, they could even create throwaway accounts just for spamming.

Fixes & Recommendations

The fix: Flarum/Core v1.6.3 shipped with a patch for this bug. See the pull request for technical details.

Update RIGHT NOW: Patch to at least v1.6.3, or newer.

- Check past discussions: Look for OPs that have been permanently deleted but where the thread is still open.

Monitor for suspicious API activity in your server logs.

There are no workarounds for older versions—permission settings are simply bypassed in this edge case.

References & More Reading

- Original Advisory (GitHub)
- Flarum Security Changelog  
- Flarum Core GitHub Repository
- Vulnerability Entry (NVD)

Summary

- CVE-2023-22489 affects Flarum 1.3.–1.6.2: It lets users post replies in restricted/locked topics after the OP is permanently deleted.

No workaround exists for unpatched versions.

If your community runs Flarum, act fast—don’t give spammers or malicious actors a loophole.

Timeline

Published on: 01/13/2023 19:15:00 UTC
Last modified on: 01/23/2023 17:55:00 UTC