Cyber Resilience

CVE-2026-21868

High

Published: 08 January 2026

Published
08 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0009 25.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21868 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Flagforge Flagforge. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21868 is a Regular Expression Denial of Service (ReDoS) vulnerability (CWE-1333) affecting Flag Forge, a Capture The Flag (CTF) platform, in versions 2.3.2 and prior. The issue resides in the user profile API endpoint (/api/user/[username]), where the application dynamically constructs a regular expression using unescaped user input from the username parameter. This allows specially crafted input containing regex meta-characters, such as deeply nested groups or quantifiers, to trigger excessive CPU consumption in the MongoDB regex engine.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and lack of prerequisites. Any unauthenticated remote attacker can exploit it by sending a malicious request to the affected endpoint with a crafted username, causing significant resource exhaustion. This results in denial of service for other users of the platform as the server becomes unresponsive.

The vulnerability is fixed in Flag Forge version 2.3.3. As a workaround, operators can implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path. Additional details are available in the GitHub Security Advisory at https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx.

EU & UK References

Vulnerability details

Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input…

more

(the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

ReDoS in public API endpoint enables remote unauthenticated exploitation of a web app (T1190) resulting in application-layer resource exhaustion/DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33671Shared CWE-1333
CVE-2024-46242Shared CWE-1333
CVE-2025-70030Shared CWE-1333
CVE-2024-41766Shared CWE-1333
CVE-2026-4867Shared CWE-1333
CVE-2025-10990Shared CWE-1333
CVE-2026-27904Shared CWE-1333
CVE-2026-30925Shared CWE-1333
CVE-2026-22178Shared CWE-1333
CVE-2026-23956Shared CWE-1333

Affected Assets

flagforge
flagforge
2.0 — 2.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the ReDoS vulnerability by validating and sanitizing the username input to block malicious regex meta-characters before construction in the MongoDB query.

prevent

Requires timely remediation of the specific flaw in Flag Forge versions 2.3.2 and prior by patching to version 2.3.3, eliminating the vulnerable regex construction.

prevent

Provides denial-of-service protections tailored to resource exhaustion attacks like ReDoS-induced CPU consumption on the user profile API endpoint.

References