The vulnerability lies in the spam host allowlist logic of Discourse’s spam protection. Prior to the patched release, the code used a simple string suffix check (String#end_with?) to determine if an email domain matched an allowlisted domain. This allowed attacker‑controlled domains such as attacker-example.com to match an allowlist entry for example.com, bypassing the newuser_spam_host_threshold and enabling the attacker to send spam messages through the platform. The weakness is a sign‑in‑communication boundary flaw (CWE‑284). The direct consequence is that spam filtering is weakened, potentially allowing malicious content to reach users or consuming server resources.

The issue affects the Discourse open‑source discussion platform. Versions before 2026.3.0-latest.1, before 2026.2.1, and before 2026.1.2 are vulnerable. All installations of these releases are susceptible; upgrading to any of the patched versions removes the flaw.

The CVSS score of 4.3 suggests a moderate impact, and the EPSS score of less than 1% indicates a low likelihood of exploitation. Discourse has not catalogued this issue in the CISA KEV list, so it is not known to be actively exploited. Exploitation would require an attacker to have influence over the spam domain allowlist or rely on an existing allowlist entry; it is inferred that a remote attacker could use the issued domain to bypass spam checks. Because no active exploitation is documented, administrators should treat the risk as low but mitigate promptly.