Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Internal Network Probing via SSRF
Action: Apply Patch
AI Analysis

Impact

The Discourse group SMTP test endpoint contains a Server Side Request Forgery flaw that allows an authenticated non‑staff group owner to supply arbitrary URLs. When used, the server will resolve and connect to the supplied host and port, effectively opening a channel for the attacker to probe internal network infrastructure. This vulnerability enables internal reconnaissance, discovery of services, or mapping of internal topology, and is classified as CWE‑918.

Affected Systems

Vulnerable releases are all Discourse versions from 2026.1.0 up to (but excluding) 2026.1.3, from 2026.2.0 up to (but excluding) 2026.2.2, and from 2026.3.0 up to (but excluding) the final 2026.3.0 update. The fix was applied in Discourse 2026.1.3, 2026.2.2, and 2026.3.0. No other vendors or products are affected beyond the Discourse forum platform.

Risk and Exploitability

With a CVSS base score of 5.3 and an EPSS lower than 1 %, the overall risk level is moderate but the likelihood of exploitation is low. The vulnerability is not listed in CISA’s KEV catalog, indicating no widespread exploitation has been reported. The attack requires that the attacker possess group‑owner permissions, a privilege that may exist in many organisations but typically only applies to trusted users. Prompt patching eliminates the ability to perform internal network probing from the Discourse instance.

Generated by OpenCVE AI on April 9, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse 2026.1.3, 2026.2.2, or 2026.3.0 to receive the fix.
  • If an upgrade cannot be performed immediately, restrict the group SMTP test endpoint so that only staff members can use it, preventing non‑staff group owners from triggering outbound requests.
  • Verify that the endpoint has been removed for non‑staff users and monitor outbound connections from the Discourse server for any unexpected activity.

Generated by OpenCVE AI on April 9, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Title Discourse: Group SMTP test endpoint susceptible to SSRF
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:47:00.577Z

Reserved: 2026-03-17T22:16:36.720Z

Link: CVE-2026-33185

cve-icon Vulnrichment

Updated: 2026-04-01T13:46:55.592Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T18:16:52.113

Modified: 2026-04-09T15:51:02.510

Link: CVE-2026-33185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:46:00Z

Weaknesses