Email Exposure in Discourse Open-Source Discussion Platform by Discourse
CVE-2026-44780
What is CVE-2026-44780?
The Discourse platform, used for online discussions, has a vulnerability that allows unauthorized users to access sensitive email data. Versions from 2026.1.0 to before 2026.1.4, as well as 2026.3.0 to before 2026.3.1, and 2026.4.0 to before 2026.4.1, inadvertently expose the full raw email source including headers and body to the moderation group members in the review queue. This is due to a flaw in the ReviewableQueuedPostSerializer that fails to properly restrict access to the raw email data. Users can be granted insight into email origins without proper permissions. This issue has been successfully patched in subsequent versions, ensuring better protection of user email privacy.
Affected Version(s)
discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1
discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1
discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4