Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Server-side request forgery allowing arbitrary outbound connections
Action: Patch immediately
AI Analysis

Impact

The vulnerability occurs in Discourse’s group email settings test endpoint, which can be used to force the server to initiate outbound HTTP or SMTP connections to any host and port. This can enable an attacker to probe internal network hosts and services, exposing service listings and potentially mapping network topology. The weakness is a classic SSRF flaw (CWE‑918); it does not provide code execution or privilege escalation but can compromise confidentiality and help in lateral reconnaissance. The CVSS score of 5.3 indicates medium severity. The attack path requires reaching the test endpoint, which is accessible to any user who owns a group but is not a staff member.

Affected Systems

The flaw affects the Discourse open‑source discussion platform. Versions that are vulnerable include 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 prior to 2026.3.0. The affected product is properly named Discourse; no additional vendor names are required.

Risk and Exploitability

The CVSS score places the issue at medium risk. EPSS data is not available, but the fact that the endpoint is reachable from any non‑staff group owner suggests that exploitation is plausible in environments where users can create or own groups. The vulnerability is not listed in the CISA KEV catalog, so publicly known exploits are not documented. Attackers could initiate arbitrary outbound connections from the Discourse server, potentially leaking internal IPs and service ports. No direct exploit conditions beyond accessing the test endpoint are specified; therefore the exploitation likelihood is moderate.

Generated by OpenCVE AI on March 31, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Discourse version 2026.1.3, 2026.2.2, or 2026.3.0 or later.

Generated by OpenCVE AI on March 31, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Title Discourse: Group SMTP test endpoint susceptible to SSRF
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:41:44.893Z

Reserved: 2026-03-17T22:16:36.720Z

Link: CVE-2026-33185

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T18:16:52.113

Modified: 2026-03-31T18:16:52.113

Link: CVE-2026-33185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:37:32Z

Weaknesses