EUVD-2026-36560Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Network-accessible with no complexity, no privileges, and no user interaction needed; confidentiality impact is low and integrity/availability are unaffected.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the MessageBus.publish call for /web_hook_events/<id> in Jobs::RedeliverWebHookEvents did not pass group_ids, leaving the channel readable by any authenticated user (or anonymous user on instances where login_required is disabled). Webhook IDs are sequential integers and trivially enumerable. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
AnalysisAI
Unauthorized access to webhook event data in Discourse exposes internal webhook payloads to any authenticated user - or unauthenticated users on instances with login_required disabled - across versions 2026.1.0 through several branch heads. The flaw resides in the MessageBus channel /web_hook_events/<id>, which the Jobs::RedeliverWebHookEvents job publishes to without enforcing group_id restrictions, allowing unrestricted channel subscription. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | On Discourse instances where login_required is disabled (the default for many public communities): no authentication is required - anonymous users can subscribe to any /web_hook_events/<id> channel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS score of 4.3 (Medium) uses AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker - authenticated or anonymous depending on instance configuration - subscribes to the Discourse MessageBus channel /web_hook_events/1, /web_hook_events/2, and so on, iterating sequential integer IDs to retrieve webhook event payloads. Because webhook IDs are sequential integers with no per-channel authorization check, the attacker harvests event data (potentially including integration tokens, payload bodies, or system event details) across all redelivered webhook events without any elevated privileges. … |
| Remediation | Vendor-released patches are confirmed in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 - upgrade to the appropriate patched release for your branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
Share
External POC / Exploit Code
Leaving vuln.today