The Flask-WTF docs state:

When CSRF validation fails, it will raise a CSRFError.

However, this appears to only be true, if this optional code has been used:

from flask_wtf.csrf import CSRFProtect
csrf = CSRFProtect(app)

When that code is not used, forms are created by subclassing FlaskForm, and CSRF validation fails, then validate_on_submit returns False instead of raising CSRFError.

It seems that ideally you would always raise CSRFError for consistency, but if you don't want to do that, then it would be helpful to update the docs.