Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-exploitable web app requiring only a low-privilege account; write-only impact to admin storage with no confidentiality or availability consequence.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
AnalysisAI
Unauthorized write access to the admin backup store in Discourse allows any authenticated regular user to route S3 multipart uploads into a storage area that should be restricted to administrators. The flaw exists in ExternalUploadManager, which fails to enforce authorization checks (CWE-862) when accepting direct S3 multipart upload requests, meaning a low-privilege account holder can target the admin backup destination path without restriction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid regular user account on the target Discourse instance (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N accurately reflects the threat profile: network-exploitable over standard HTTP, low attack complexity, requiring only a regular user account (PR:L), with no user interaction needed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already holds a standard (non-admin) account on a Discourse instance configured with direct S3 multipart uploads. They initiate an upload via ExternalUploadManager, manipulating the upload destination parameter to target the admin backup store S3 prefix rather than the user content bucket. … |
| Remediation | Vendor-released patches are confirmed at versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, available at github.com/discourse/discourse/releases. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun
Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated
Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r
Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is
Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici
Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42729