Discourse
CVE-2026-33427
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
AnalysisAI
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization page spoofing vulnerability that allows unauthenticated attackers to inject attacker-controlled domains into legitimate Discourse authorization pages, enabling social engineering attacks. This CWE-862 (Missing Authorization) class vulnerability affects all affected Discourse installations and requires no authentication or special privileges to exploit. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Remote unauthenticated attacker can exploit Discourse versions before 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The real-world risk is moderate-to-high despite the absence of a CVSS vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a phishing email containing a link to the victim's Discourse instance with a manipulated URL parameter that causes the authorization page to display the attacker's domain (e.g., 'discourse-login.attacker.com') instead of the legitimate Discourse domain. When the user clicks the link and sees the familiar Discourse UI combined with the attacker-controlled domain in the address bar or form fields, they are socially engineered into entering their credentials on the attacker's site. … |
| Remediation | Immediately upgrade Discourse to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 depending on your current release branch; see https://github.com/discourse/discourse/security/advisories/GHSA-9vhg-2mx3-mqfr for patch details and upgrade procedures. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
Share
External POC / Exploit Code
Leaving vuln.today