CVE-2026-44783 - Vulnerability Details

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Published: 2026-06-12

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the reply handling of whisper posts allows authenticated users who are not members of the whisper‑allowed groups to create staff‑only whisper messages. The injected content is visible only to staff, effectively enabling non‑whisperers to impersonate staff or spread misinformation within the privileged channel. This weakness is an access control violation (CWE‑284).

Affected Systems

The vulnerability affects the open‑source Discourse discussion platform. Versions 2026.1.0 through 2026.1.3, 2026.3.0 through 2026.3.0, and 2026.4.0 through 2026.4.0 are impacted. Only sites that have the whispers feature enabled are susceptible.

Risk and Exploitability

The CVSS score is 5.4, indicating a moderate impact, and the EPSS score is less than 1 %, suggesting a very low probability of exploitation. The vulnerability is not listed in CISA KEV. Attackers must be authenticated and have the ability to reply to a whisper post; the attack vector is therefore internal via legitimate user accounts. No external network attack vector is described and no serious impact on confidentiality or system integrity beyond the unauthorized posting of content to the whisper channel. The flaw permits a compromised or malicious ordinary user to inject staff‑level whispers, which could be used for social engineering or misinformation against staff or sensitive discussions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

discourse

affected

Version	Status	Constraints
`>= 2026.1.0-latest, < 2026.1.4`	affected	—
`>= 2026.3.0-latest, < 2026.3.1`	affected	—
`>= 2026.4.0-latest, < 2026.4.1`	affected	—

No data.

Vendor Product Confidence Versions

Discourse

100%

Version	Status	Scheme	Platform
`[2026.1.0-latest,2026.1.4)`	affected	semver	—
`[2026.3.0-latest,2026.3.1)`	affected	semver	—
`[2026.4.0-latest,2026.4.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Discourse to 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0‑latest.1 depending on the installed version.
Verify that the whispers_allowed_groups setting includes only staff and that no other roles are authorized.
If an upgrade cannot be applied immediately, temporarily disable replies to whisper posts for non‑whisperer users or restrict the whispers feature until the fix is installed.

Generated by OpenCVE AI on June 12, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/discourse/discourse/security/advisories/GHSA-98ch-mgfj-wqpw

History

Fri, 12 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Discourse Discourse discourse
Vendors & Products		Discourse Discourse discourse

Fri, 12 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Title		Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts
Weaknesses		CWE-284
References		https://github.com/discourse/discourse/security/advisories/GHSA-98ch-mgfj-wqpw
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Discourse Discourse

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T20:23:14.886Z

Updated: 2026-06-12T20:23:14.886Z

Reserved: 2026-05-07T19:20:44.690Z

Link: CVE-2026-44783

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T21:16:21.917

Modified: 2026-06-12T21:16:21.917

Link: CVE-2026-44783

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T23:30:08Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object