CVE-2026-44780 - Vulnerability Details

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via incoming email. Category moderation group members reaching the review queue could therefore read the full inbound email source (headers, sender trace, MUA, body) without being in view_raw_email_allowed_groups — the trust boundary that gates the dedicated raw-email endpoint. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Published: 2026-06-12

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Discourse’s ReviewableQueuedPostSerializer exposed the entire raw email payload of posts received via incoming email to any member of the category moderation group who accessed the review queue. This allowed reviewers to view the email’s headers and body without permission to do so via the dedicated raw‑email endpoint, resulting in an information‑disclosure flaw (CWE‑200). The flaw does not provide code execution or denial‑of‑service capabilities but could leak private message content or sender details to unauthorized reviewers.

Affected Systems

Affected systems include the open‑source Discourse discussion platform versions 2026.1.0 through 2026.1.3, 2026.3.0 through 2026.3.0, and 2026.4.0 through 2026.4.0. The vulnerability was fixed in releases 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0‑latest.1. Reviewers must be members of the moderation group set for the review queue and the vulnerability persisted across all three minor branches of the 2026 release line.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity vulnerability, and the EPSS score of less than 1% suggests that exploitation is unlikely in the wild. The issue is not listed in CISA’s KEV catalog, further implying a low likelihood of exploitation. An attacker would need to first gain membership in a category moderation group that has access to the review queue. Once a reviewer is in that group, they can read the raw email content of queued posts, potentially exposing confidential communication.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

discourse

affected

Version	Status	Constraints
`>= 2026.4.0-latest, < 2026.4.1`	affected	—
`>= 2026.3.0-latest, < 2026.3.1`	affected	—
`>= 2026.1.0-latest, < 2026.1.4`	affected	—

No data.

Vendor Product Confidence Versions

Discourse

100%

Version	Status	Scheme	Platform
`[2026.4.0-latest,2026.4.1)`	affected	semver	—
`[2026.3.0-latest,2026.3.1)`	affected	semver	—
`[2026.1.0-latest,2026.1.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Discourse to a patched release (2026.1.4, 2026.3.1, 2026.4.1, or a newer 2026.5.0‑latest).
If an immediate upgrade is not feasible, remove or restrict review‑queue access for category moderation groups that should not read raw emails.
Enable logging or audit trails for review‑queue access to detect any past exposure of raw email content.

Generated by OpenCVE AI on June 12, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/discourse/discourse/security/advisories/GHSA-h2jr-whpx-6w63

History

Fri, 12 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Discourse Discourse discourse
Vendors & Products		Discourse Discourse discourse

Fri, 12 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via incoming email. Category moderation group members reaching the review queue could therefore read the full inbound email source (headers, sender trace, MUA, body) without being in view_raw_email_allowed_groups — the trust boundary that gates the dedicated raw-email endpoint. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Title		Discourse: Category queue reviewers can read raw incoming emails from queued posts
Weaknesses		CWE-200
References		https://github.com/discourse/discourse/security/advisories/GHSA-h2jr-whpx-6w63
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Discourse Discourse

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T20:22:45.347Z

Updated: 2026-06-12T20:22:45.347Z

Reserved: 2026-05-07T19:20:44.690Z

Link: CVE-2026-44780

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T21:16:21.643

Modified: 2026-06-12T21:16:21.643

Link: CVE-2026-44780

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T22:45:28Z

Weaknesses

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object