Discourse allows non-admin group owners to view the outgoing email and SMTP credentials recorded in the group history log. The vulnerable fields include email_password, email_username, smtp_server, smtp_port, and smtp_ssl_mode. Exposing the SMTP password, in particular, permits an owner to authenticate and send email on behalf of the group from outside the platform, enabling phishing or other malicious mail campaigns. The vulnerability is a classic information disclosure flaw (CWE‑200). The loss of confidentiality could undermine user trust and potentially lead to credential compromise of downstream email services.

The flaw is present in Discourse Community Edition versions 2026.1.0 through 2026.1.3, 2026.3.0 through 2026.3.0, and 2026.4.0 through 2026.4.0. The issue was fixed in 2026.1.4, 2026.3.1, 2026.4.1, and any release following 2026.5.0. Affected deployments are those that have per‑group SMTP credentials configured and have granted ownership of a group to users who are not staff.

The vulnerability has a CVSS score of 6.5, indicating moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation at present, and the issue is not listed in the CISA KEV catalog. The attack vector requires the attacker to possess group owner rights; an attacker with such privileged access can retrieve the credentials directly from the logs. Once compromised, the credentials can be used to send spoofed or malicious email, but the scope is limited to the resources configured for the affected group. Overall, the risk is moderate but non‑negligible, especially for sites that expose sensitive SMTP details and grant group ownership to potentially untrusted users.