CVE-2026-1213: askbot inexhaustive permissions check allows any user to modify a different user's profile picture

January 27, 2026 (updated January 28, 2026)

All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2.

References

askbot.com/
fluidattacks.com/advisories/ghost
github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d
github.com/advisories/GHSA-r2jv-fwfr-4j8c
github.com/askbot/askbot-devel
nvd.nist.gov/vuln/detail/CVE-2026-1213

Code Behaviors & Features

Detect and mitigate CVE-2026-1213 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →