Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Webhook is network-accessible with no Discourse authentication required (PR:N, AV:N); AWS account prerequisite is attacker-controlled, not a target-side access control (AC:L); impact confined to email revocation with no confidentiality loss (I:L, A:L, C:N).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
AnalysisAI
Discourse's AWS SES bounce webhook endpoint (POST /webhooks/aws) validates Amazon SNS message signatures but omits TopicArn binding, allowing any AWS account holder to publish legitimately signed forged Bounce notifications that revoke a targeted Discourse user's email address. Versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 across all active release branches are affected when the SES integration is enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Discourse instance has the AWS SES bounce webhook integration enabled and the POST /webhooks/aws endpoint reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 6.5 with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L accurately characterizes the attack surface: the webhook is internet-facing, no Discourse credentials are required, and no user interaction is needed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses an existing AWS account, creates an SNS topic, and constructs a valid SNS Bounce notification JSON payload targeting a known Discourse user's email address. Publishing this message through Amazon's SNS infrastructure causes Amazon to sign it with valid Amazon credentials; the attacker then delivers it to the victim Discourse instance's POST /webhooks/aws endpoint. … |
| Remediation | Upgrade Discourse to 2026.6.0 (stable), 2026.5.1 (beta), 2026.4.2 (tests-passed), or 2026.1.5 (legacy), per the operator's active release branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun
Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated
Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r
Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is
Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici
Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42728