Bolt is vulnerable to cross-site request forgery (CSRF). It allows an attacker to trick an authenticated user to submit a malicious request to execute action on behalf of the attacker.