Email Exposure in Discourse Open-Source Discussion Platform by Discourse
CVE-2026-44780

4.3MEDIUM

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44780?

The Discourse platform, used for online discussions, has a vulnerability that allows unauthorized users to access sensitive email data. Versions from 2026.1.0 to before 2026.1.4, as well as 2026.3.0 to before 2026.3.1, and 2026.4.0 to before 2026.4.1, inadvertently expose the full raw email source including headers and body to the moderation group members in the review queue. This is due to a flaw in the ReviewableQueuedPostSerializer that fails to properly restrict access to the raw email data. Users can be granted insight into email origins without proper permissions. This issue has been successfully patched in subsequent versions, ensuring better protection of user email privacy.

Affected Version(s)

discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1

discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1

discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.