Skip to main content

Discourse EUVD-2026-36587

| CVE-2026-44784 MEDIUM
Information Exposure (CWE-200)
2026-06-12 GitHub_M
Information Disclosure Discourse
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Requires authenticated group-owner session (PR:L) over the network; confidentiality-only impact as credentials are read from the log with no write or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 22:01 EUVD
Analysis Generated
Jun 12, 2026 - 21:34 vuln.today

DescriptionCVE.org

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). Affected fields: email_password, email_username, smtp_server, smtp_port, smtp_ssl_mode. The most sensitive item is the SMTP password, which an owner could use to send mail as the group from outside Discourse. This impacts sites that have configured per-group SMTP credentials and granted group ownership to users who should not have access to those credentials. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

AnalysisAI

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL mode - from the group history log endpoint (/groups/:name/logs.json), affecting versions 2026.1.0-latest through pre-2026.1.4, 2026.3.0-latest through pre-2026.3.1, and 2026.4.0-latest through pre-2026.4.1. An authenticated group owner who holds no admin or moderator privileges can harvest the exposed SMTP password and use it to send mail impersonating the group's email identity from any external mail client, entirely bypassing Discourse's own sending controls. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Discourse group owner
Delivery
Request GET /groups/:name/logs.json
Exploit
Extract plaintext SMTP credentials from response
Execution
Configure external SMTP client with harvested credentials
Impact
Send email impersonating group's identity to external targets
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following specific conditions to be simultaneously true: (1) the Discourse instance must have per-group SMTP credentials explicitly configured on at least one group - this is a non-default feature requiring deliberate administrator setup, and sites using only the global mailer are entirely unaffected; (2) the attacker must hold an authenticated Discourse session with group owner role on the targeted group - unauthenticated users and members without owner role cannot access the logs endpoint; (3) the group owner must not also be an admin or moderator, as the vulnerability is specifically scoped to the trust gap in the owner tier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N accurately represents the risk profile: network-reachable with low attack complexity, but requiring authenticated access at the group-owner privilege level. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Discourse user who has been granted group ownership - without admin or moderator status - issues a GET request to /groups/:name/logs.json for a group they own that has per-group SMTP configured. The JSON response includes the plaintext SMTP password alongside server address and port, which the attacker then enters into an external SMTP client (e.g., a scripted curl command or a mail relay tool) to send emails from the group's address to targets outside Discourse, enabling phishing or spam campaigns that abuse the group's trusted sender identity. …
Remediation Upgrade Discourse to patched versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 as documented in vendor advisory GHSA-94c5-j24g-r99f (https://github.com/discourse/discourse/security/advisories/GHSA-94c5-j24g-r99f). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-44786 HIGH
7.5 Jun 12

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
CVE-2026-45775 MEDIUM
6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
CVE-2026-44783 MEDIUM
5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
CVE-2026-45085 MEDIUM
5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
CVE-2026-47264 MEDIUM
5.3 Jun 12

Tag group name disclosure in Discourse exposes restricted organizational metadata to anonymous and unprivileged users vi

Share

EUVD-2026-36587 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy