Research Notes
August 28, 2023

Advisory: Flarum LFI - CVE-2023-40033

No items found.
Creative Commons license


An attacker with a basic user forum account can specify a malicious avatar URL that discloses the contents of arbitrary local files on the file system.


An attacker can read the contents of any local file. An attacker can also conduct blind SSRF attacks.

Affected Software

The following versions are affected by this vulnerability:

  • flarum/framework < 1.8.0

Product Description

Flarum is a delightfully simple discussion platform for your website. It’s fast, free, and easy to use, with all the features you need to run a successful community. It’s also extremely extensible, allowing for ultimate customizability.


Upgrade to the latest version of flarum/framework, >= 1.8.0.

Flarum has released an advisory here. The vulnerability was assigned CVE-2023-40033.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


Adam Kues - Assetnote Security Research Team

Written by:
Adam Kues
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get updates on our research

Subscribe to our newsletter and stay updated on the newest research, security advisories, and more!

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.