Skip to main content

Discourse EUVDEUVD-2026-42735

| CVE-2026-44787 HIGH
Improper Privilege Management (CWE-269)
2026-07-09 security-advisories@github.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (github) PRIMARY
HIGH
qualitative
NVD
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Patch tests show injection succeeds on unauthenticated signup, so PR:N and AC:L; whisper read access drives C:H with minor I:L and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Source Code Evidence Fetched
Jul 14, 2026 - 20:59 vuln.today
Analysis Updated
Jul 14, 2026 - 20:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 20:52 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 20:52 NVD
8.2 (HIGH) 7.1 (HIGH)
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:31 vuln.today

DescriptionNVD

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

AnalysisAI

Privilege escalation in Discourse (the open-source discussion platform) lets a newly registered user obtain whisper-group ('whisperer') privileges by supplying a primary_group_id during the signup flow, without ever being a legitimate member of that group. Exploitation only matters on sites that have configured whispers_allowed_groups, and success grants read access to staff-only whisper posts (a confidentiality-focused impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register account via public signup endpoint
Delivery
Inject primary_group_id of whisper-allowed group
Exploit
Server saves primary_group_id without membership check
Execution
whisperer? evaluates true
Impact
Read/post staff-only whisper content

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Discourse site to have the whispers_allowed_groups site setting configured - a non-default, opt-in staff feature; without it, injecting primary_group_id grants no whisper privilege and the bug is inert. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to a real but moderate-priority issue rather than an emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Discourse forum that has enabled group-based whispers, an attacker scripts the public registration endpoint and includes primary_group_id set to the ID of a whisper-allowed group in the signup payload. Once the account is created, the attacker is treated as a whisperer and can read (and post) staff-only whisper content that should be hidden from ordinary members. …
Remediation Vendor-released patch: upgrade to Discourse 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5 (whichever matches your release branch), available at https://github.com/discourse/discourse/releases (tags v2026.6.0, v2026.5.1, v2026.4.2, v2026.1.5). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Discourse installations in your environment and confirm which have whispers_allowed_groups enabled, as only those configurations face risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-48954 HIGH POC
8.1 Jun 25

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun

CVE-2024-47773 HIGH POC
8.2 Oct 08

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem

CVE-2021-3138 HIGH POC
7.5 Jan 14

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated

CVE-2023-38706 MEDIUM POC
6.5 Sep 15

Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2024-53991 MEDIUM POC
5.9 Dec 19

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r

CVE-2025-48877 CRITICAL
9.8 Jun 09

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu

CVE-2023-47121 CRITICAL
9.8 Nov 10

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-41163 CRITICAL
9.8 Oct 20

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-49765 CRITICAL
9.1 Dec 19

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2026-53963 CRITICAL
9.0 Jul 09

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici

CVE-2022-39356 HIGH
8.8 Nov 02

Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2026-27934 HIGH
8.7 Mar 19

Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and

Share

EUVD-2026-42735 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy