Official forums for BZFlag.org

There could be a slight vulnerability, in which commands and actions could be spoofed.
As the client-server architecture gives a lot of power to the client in BZFlag.
It is to my understanding, the client sends actions (such as jump) to the server which then sends them to other clients(so they would interpret whether a tank has jumped or not, for example).
This technically allows one to send spoofed commands or actions to the server, for example making someone else's tank jump in a bad situation.

Please analyze the source code or conduct local tests to validate your ideas before you speculate whether a specific attack is possible. The server has numerous checks to validate data it receives from clients before accepting and relaying it. Furthermore, we generally do not allow discussions about specific ways of attacking bzfs servers here, nor any kind of cheating or attempts to compromise the game.

Sorry my bad.

In some ways, the server is little more than a relay. It's far better than it used to be, but still is far from perfect. Ideally the server would actually have a complete game state (meaning, it would know where tanks are, where shots are, how physics are going to behave, etc) so that it could make intelligent decisions and determine if a client is sending bogus updates.