CVE-2026-21868
Published: 08 January 2026
Summary
CVE-2026-21868 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Flagforge Flagforge. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21868 is a Regular Expression Denial of Service (ReDoS) vulnerability (CWE-1333) affecting Flag Forge, a Capture The Flag (CTF) platform, in versions 2.3.2 and prior. The issue resides in the user profile API endpoint (/api/user/[username]), where the application dynamically constructs a regular expression using unescaped user input from the username parameter. This allows specially crafted input containing regex meta-characters, such as deeply nested groups or quantifiers, to trigger excessive CPU consumption in the MongoDB regex engine.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and lack of prerequisites. Any unauthenticated remote attacker can exploit it by sending a malicious request to the affected endpoint with a crafted username, causing significant resource exhaustion. This results in denial of service for other users of the platform as the server becomes unresponsive.
The vulnerability is fixed in Flag Forge version 2.3.3. As a workaround, operators can implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path. Additional details are available in the GitHub Security Advisory at https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1664
Vulnerability details
Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input…
more
(the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS in public API endpoint enables remote unauthenticated exploitation of a web app (T1190) resulting in application-layer resource exhaustion/DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the ReDoS vulnerability by validating and sanitizing the username input to block malicious regex meta-characters before construction in the MongoDB query.
Requires timely remediation of the specific flaw in Flag Forge versions 2.3.2 and prior by patching to version 2.3.3, eliminating the vulnerable regex construction.
Provides denial-of-service protections tailored to resource exhaustion attacks like ReDoS-induced CPU consumption on the user profile API endpoint.