GCVE-1-2026-0013

Vulnerability from gna-1 – Published: 2026-02-04 19:27 – Updated: 2026-02-04 19:32
VLAI?
Title
Flask Application Username Route Collision Allows Reserved Path Registration
Summary
A route collision vulnerability exists in a Flask-based web application where parameterized user profile routes (e.g., /user/<login>) coexist with fixed functional routes under the same prefix (e.g., /user/profile, /user/bundles). Due to Flask’s route resolution behavior, attackers could register accounts using usernames matching reserved route paths. By registering such usernames, an attacker could render their profile inaccessible and potentially mask or interfere with legitimate application endpoints, leading to denial of access to functionality and confusion in routing behavior. The vulnerability stems from insufficient validation of usernames during account creation and profile updates. It is mitigated by introducing a case-insensitive reserved username list corresponding to existing /user/ routes and enforcing validation at the form and model layers to prevent registration or use of these reserved identifiers.
Severity ?
2.1 (Low)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:N/AU:Y/U:Clear
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
vulnerability-lookup vulnerability-lookup Affected: ≤ 3.0
Create a notification for this product.
Credits
nyanbinary <@nyanbinary@infosec.exchange> Cedric Bonhomme Claude Sonnet 4.5 <noreply@anthropic.com>
Relationships ?
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "vulnerability-lookup",
          "vendor": "vulnerability-lookup",
          "versions": [
            {
              "lessThanOrEqual": "3.0",
              "status": "affected"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "nyanbinary \u003c@nyanbinary@infosec.exchange\u003e"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Cedric Bonhomme"
        },
        {
          "lang": "en",
          "type": "other",
          "value": "Claude Sonnet 4.5 \u003cnoreply@anthropic.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA route collision vulnerability exists in a Flask-based web application where parameterized user profile routes (e.g., \u003ccode\u003e/user/\u0026lt;login\u0026gt;\u003c/code\u003e) coexist with fixed functional routes under the same prefix (e.g., \u003ccode\u003e/user/profile\u003c/code\u003e, \u003ccode\u003e/user/bundles\u003c/code\u003e). Due to Flask\u2019s route resolution behavior, attackers could register accounts using usernames matching reserved route paths.\u003c/p\u003e\n\u003cp\u003eBy registering such usernames, an attacker could render their profile inaccessible and potentially mask or interfere with legitimate application endpoints, leading to denial of access to functionality and confusion in routing behavior.\u003c/p\u003e\n\u003cp\u003eThe vulnerability stems from insufficient validation of usernames during account creation and profile updates. It is mitigated by introducing a case-insensitive reserved username list corresponding to existing \u003ccode\u003e/user/\u003c/code\u003e routes and enforcing validation at the form and model layers to prevent registration or use of these reserved identifiers.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "A route collision vulnerability exists in a Flask-based web application where parameterized user profile routes (e.g., /user/\u003clogin\u003e) coexist with fixed functional routes under the same prefix (e.g., /user/profile, /user/bundles). Due to Flask\u2019s route resolution behavior, attackers could register accounts using usernames matching reserved route paths.\n\n\nBy registering such usernames, an attacker could render their profile inaccessible and potentially mask or interfere with legitimate application endpoints, leading to denial of access to functionality and confusion in routing behavior.\n\n\nThe vulnerability stems from insufficient validation of usernames during account creation and profile updates. It is mitigated by introducing a case-insensitive reserved username list corresponding to existing /user/ routes and enforcing validation at the form and model layers to prevent registration or use of these reserved identifiers."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:N/AU:Y/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/ec4c3e70f03e5e711856cf3863c596fab2b707ad"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Flask Application Username Route Collision Allows Reserved Path Registration",
      "x_gcve": [
        {
          "recordType": "advisory",
          "vulnId": "gcve-1-2026-0013"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "datePublished": "2026-02-04T19:27:00.000Z",
    "dateUpdated": "2026-02-04T19:32:49.787763Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "gcve-1-2026-0013",
    "vulnerabilitylookup_history": [
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-02-04T19:27:11.142905Z"
      ],
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-02-04T19:32:49.787763Z"
      ]
    ]
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.