EUVD-2026-36584Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Category moderation group membership (PR:L) is required to reach the review queue; only bounded email metadata is exposed (C:L), with no write or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via incoming email. Category moderation group members reaching the review queue could therefore read the full inbound email source (headers, sender trace, MUA, body) without being in view_raw_email_allowed_groups - the trust boundary that gates the dedicated raw-email endpoint. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
AnalysisAI
Discourse's ReviewableQueuedPostSerializer unconditionally exposes full inbound email source - including SMTP headers, sender trace, mail user agent, and body - to category moderation group members accessing the review queue, bypassing the view_raw_email_allowed_groups trust boundary that restricts the dedicated raw-email endpoint. Affected versions span the 2026.1.x, 2026.3.x, and 2026.4.x series on deployments using Discourse's incoming email feature. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Discourse user who holds membership in at least one category moderation group (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user who is a member of a category moderation group logs into Discourse and navigates to the review queue to process pending posts. When reviewing a post that arrived via incoming email, the API response from ReviewableQueuedPostSerializer includes the full raw_email payload containing SMTP Received headers, originating IP addresses, X-Mailer or User-Agent strings, and the complete message body. … |
| Remediation | Upgrade to one of the patched releases: Discourse 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1, all of which correct the ReviewableQueuedPostSerializer to enforce the view_raw_email_allowed_groups permission check before including raw email data in serialized output. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
Share
External POC / Exploit Code
Leaving vuln.today