Discourse Vulnerability Exposes Email Credentials to Group Owners
CVE-2026-44784
What is CVE-2026-44784?
A vulnerability in Discourse allows group owners, who may not have administrative or moderation privileges, to access SMTP credentials—including email passwords—through the group's history log. This risk is particularly significant for setups that have configured unique SMTP credentials for individual groups. As a result, unauthorized group owners can misuse access to send emails impersonating the group, which can lead to the compromise of sensitive information. The vulnerability has been resolved in subsequent versions, ensuring that OAuth and secure credential handling practices are upheld.
Affected Version(s)
discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4
discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1
discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1