Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a multisite deployment to access backup files belonging to another site when backups are stored locally. In affected configurations, an admin on Site A could potentially retrieve sensitive backup data from Site B (same host, multisite) by crafting a backup download request with a traversal payload. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Published: 2026-06-12
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Discourse introduces a path traversal flaw in its local backup handling that permits an authenticated administrator in a multisite deployment to download backup files belonging to another site on the same host. The flaw, identified as CWE‑22, can leak backup data and other sensitive information, exposing site configurations, user data, or other confidential content. This unauthorized read ability threatens the confidentiality of each site’s backups when they are stored locally.

Affected Systems

The vulnerability affects the Discourse forum platform in versions 2026.1.0 through before 2026.1.4, 2026.3.0 through before 2026.3.1, and 2026.4.0 through before 2026.4.1. Any multisite deployment where backups are stored locally is susceptible, regardless of other configuration settings.

Risk and Exploitability

The CVSS score of 6.8 places the issue in the medium severity range, and the EPSS score below 1% indicates an extremely low probability of exploitation in the wild. Discourse is not listed in CISA’s KEV catalog. Exploitation requires an administrator’s credentials on a different site within the same multisite installation and involves sending a crafted download request that inserts a path traversal sequence. While the attack surface may seem limited, the confidentiality impact warrants immediate action, especially in environments that keep local backups on the same server.

Generated by OpenCVE AI on June 12, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Discourse instance to a patched release such as 2026.1.4, 2026.3.1, 2026.4.1, or any recent 2026.5.0-latest.1 version.
  • If updating immediately is not feasible, restrict access to the local backup directory by configuring stricter file permissions or moving backups to a remote, non‑public storage location.
  • Audit administrator accounts and monitor backup download requests for anomalous activity, ensuring that only legitimate admins initiate backup retrievals.

Generated by OpenCVE AI on June 12, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a multisite deployment to access backup files belonging to another site when backups are stored locally. In affected configurations, an admin on Site A could potentially retrieve sensitive backup data from Site B (same host, multisite) by crafting a backup download request with a traversal payload. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Title Discourse: Cross-site backup access via path traversal in multisite local backups
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:25:33.729Z

Reserved: 2026-05-13T07:45:21.251Z

Link: CVE-2026-45775

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:23.267

Modified: 2026-06-12T21:16:23.267

Link: CVE-2026-45775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:15:10Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')