Open-Source Discussion Platform Vulnerability in Discourse
CVE-2026-32113

5.1MEDIUM

Key Information:

Vendor

Discourse
Status
Discourse
Vendor
CVE Published:
31 March 2026

What is CVE-2026-32113?

A vulnerability exists in Discourse, an open-source discussion platform, where the StaticController's enter action can read the sso_destination_url cookie without validating its content. This lack of validation allows attackers to redirect users to untrusted external sites, potentially leading to phishing attacks or data theft. The issue affects versions 2026.1.0-latest through 2026.1.2, 2026.2.0-latest through 2026.2.1, and 2026.3.0-latest. Patches were released in subsequent versions to enhance security against these redirection attacks.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.3 < 2026.1.0-latest, 2026.1.3

discourse >= 2026.2.0-latest, < 2026.2.2 < 2026.2.0-latest, 2026.2.2

discourse >= 2026.3.0-latest, < 2026.3.0 < 2026.3.0-latest, 2026.3.0

References

https://github.com/discourse/discourse/security/advisorie...
x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/080408b93d0...
x_refsource_MISC
https://meta.discourse.org/t/using-discourse-as-a-sso-pro...
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.