Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, potentially causing legitimate user emails to be disabled. The Mailpace endpoint had no token validation at all. Starting in versions 2025.12.2, 2026.1.1, and 2026.2.0, all webhook endpoints reject requests with a 406 response when no authentication token is configured. As a workaround, ensure that webhook authentication tokens are configured for all email provider integrations in site settings (e.g., `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). There's no current workaround for mailpace before getting this fix.
Published: 2026-02-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Webhook Injection leading to email bounce tampering
Action: Patch Upgrade
AI Analysis

Impact

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 let several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) accept requests without an authentication token when no token is configured, and the Mailpace endpoint lacks token validation entirely. This flaw allows an attacker to send forged webhook payloads that can artificially inflate user bounce scores, potentially disabling legitimate user emails. The weakness is an authentication bypass (CWE‑287), exposing the integrity of user email delivery metadata.

Affected Systems

The vulnerability affects installations of the open‑source discussion platform Discourse. Any deployment running a version earlier than 2025.12.2, 2026.1.1, or 2026.2.0 is impacted. Administrators should verify that their Discourse instance runs at least one of the patched releases; older versions remain susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending unauthenticated requests to the vulnerable webhook endpoints; no additional privileges or network access are required beyond the ability to reach the webhook URL. Once exploited, the attacker can manipulate bounce metrics, potentially leading to spam filtering or user lockout.

Generated by OpenCVE AI on April 17, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to at least version 2025.12.2, 2026.1.1, or 2026.2.0, which implements token validation for all webhook endpoints.
  • Configure a unique authentication token for each email provider integration in the site settings (e.g., sendgrid_verification_key, mailjet_webhook_token, postmark_webhook_token, sparkpost_webhook_token).
  • For Mailpace integration, temporarily disable or remove the webhook endpoint until a patch becomes available, as no workaround exists for this provider.

Generated by OpenCVE AI on April 17, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, potentially causing legitimate user emails to be disabled. The Mailpace endpoint had no token validation at all. Starting in versions 2025.12.2, 2026.1.1, and 2026.2.0, all webhook endpoints reject requests with a 406 response when no authentication token is configured. As a workaround, ensure that webhook authentication tokens are configured for all email provider integrations in site settings (e.g., `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). There's no current workaround for mailpace before getting this fix.
Title Discourse doesn't ensure webhooks require a token
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T16:19:00.984Z

Reserved: 2026-02-10T18:01:31.902Z

Link: CVE-2026-26077

cve-icon Vulnrichment

Updated: 2026-02-27T16:18:56.769Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T15:17:36.653

Modified: 2026-03-02T21:53:56.453

Link: CVE-2026-26077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses